Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More
Contents
APT & Targeted Attacks
Lazarus Campaign Uses Remote Tools, RATANKBA, and More
We analyzed a new RATANKBA variant that uses a PowerShell script instead of its more traditional PE executable form. In this entry, we provide in-depth analysis of the malware, as well as a detailed examination of its remote controller.
Save to Folio
Updated the detection names on January 25, 2018, 9:47 PM PDT
Few cybercrime groups have gained as much notoriety—both for their actions and for their mystique—as the Lazarus group. Since they first emerged back in 2007 with a series of cyberespionage attacks against the South Korean government, these threat actors have successfully managed to pull off some of the most notable and devastating targeted attacks—such as the widely-reported 2014 Sony hack and the 2016 attack on a Bangladeshi bank—in recent history. Throughout the Lazarus group's operational history, few threat actors have managed to match the group in terms of both scale …
Lazarus Campaign Uses Remote Tools, RATANKBA, and More
We analyzed a new RATANKBA variant that uses a PowerShell script instead of its more traditional PE executable form. In this entry, we provide in-depth analysis of the malware, as well as a detailed examination of its remote controller.
Save to Folio
Updated the detection names on January 25, 2018, 9:47 PM PDT
Few cybercrime groups have gained as much notoriety—both for their actions and for their mystique—as the Lazarus group. Since they first emerged back in 2007 with a series of cyberespionage attacks against the South Korean government, these threat actors have successfully managed to pull off some of the most notable and devastating targeted attacks—such as the widely-reported 2014 Sony hack and the 2016 attack on a Bangladeshi bank—in recent history. Throughout the Lazarus group's operational history, few threat actors have managed to match the group in terms of both scale …
IoC
01b047e0f3b49f8ab6ebf6795bc72ba7f63d7acbc68f65f1f8f66e34de827e49
030b4525558f2c411f972d91b144870b388380b59372e1798926cc2958242863
10cbb5d0974af08b5d4aa9c753e274a81348da9f8bfcaa5193fad08b79650cda
1768f2e9cea5f8c97007c6f822531c1c9043c151187c54ebfb289980ff63d666
4722138dda262a2dca5cbf9acd40f150759c006f56b7637769282dba54de0cab
650d7b814922b58b6580041cb0aa9d27dae7e94e6d899bbb3b4aa5f1047fca0f
6cac0be2120be7b3592fe4e1f7c86f4abc7b168d058e07dc8975bf1eafd7cb25
6cb1e9850dd853880bbaf68ea23243bac9c430df576fa1e679d7f26d56785984
6d4415a2cbedc960c7c7055626c61842b3a3ca4718e2ac0e3d2ac0c7ef41b84d
772b9b873100375c9696d87724f8efa2c8c1484853d40b52c6dc6f7759f5db01
8ff100ca86cb62117f1290e71d5f9c0519661d6c955d9fcfb71f0bbdf75b51b3
972b598d709b66b35900dc21c5225e5f0d474f241fefa890b381089afd7d44ee
9d10911a7bbf26f58b5e39342540761885422b878617f864bfdb16195b7cd0f5
d5f9a81df5061c69be9c0ed55fba7d796e1a8ebab7c609ae437c574bd7b30b48
d844777dcafcde8622b9472b6cd442c50c3747579868a53a505ef2f5a4f0e26a
db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471
f7f2dd674532056c0d67ef1fb7c8ae8dd0484768604b551ee9b6c4405008fe6b
030b4525558f2c411f972d91b144870b388380b59372e1798926cc2958242863
10cbb5d0974af08b5d4aa9c753e274a81348da9f8bfcaa5193fad08b79650cda
1768f2e9cea5f8c97007c6f822531c1c9043c151187c54ebfb289980ff63d666
4722138dda262a2dca5cbf9acd40f150759c006f56b7637769282dba54de0cab
650d7b814922b58b6580041cb0aa9d27dae7e94e6d899bbb3b4aa5f1047fca0f
6cac0be2120be7b3592fe4e1f7c86f4abc7b168d058e07dc8975bf1eafd7cb25
6cb1e9850dd853880bbaf68ea23243bac9c430df576fa1e679d7f26d56785984
6d4415a2cbedc960c7c7055626c61842b3a3ca4718e2ac0e3d2ac0c7ef41b84d
772b9b873100375c9696d87724f8efa2c8c1484853d40b52c6dc6f7759f5db01
8ff100ca86cb62117f1290e71d5f9c0519661d6c955d9fcfb71f0bbdf75b51b3
972b598d709b66b35900dc21c5225e5f0d474f241fefa890b381089afd7d44ee
9d10911a7bbf26f58b5e39342540761885422b878617f864bfdb16195b7cd0f5
d5f9a81df5061c69be9c0ed55fba7d796e1a8ebab7c609ae437c574bd7b30b48
d844777dcafcde8622b9472b6cd442c50c3747579868a53a505ef2f5a4f0e26a
db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471
f7f2dd674532056c0d67ef1fb7c8ae8dd0484768604b551ee9b6c4405008fe6b