Lazarus downloader brief analysis
Contents
Lazarus downloader brief analysis
Starting off, I’d like to give a shot-out to Brian Bartholomew (Twitter: @Mao_Ware) for his general awesomeness and @DrunkBinary for his post on 30 January from which this research starts.
Using this as a base for the following Yara rule, I found a similar sample (SHA256:
625f63364312cec78a4c91abedba868d551d79185ff73e388f561017b13347f0) also packed with UPX.
rule LazarusDocJan2019_01
{
meta:
author = “Silas Cutler”
description = “Detection for Lazarus Payload from Jan 2019”
ref = “https://twitter.com/DrunkBinary/status/1090625122883510274"
version = “0.1”
strings:
$ = “\”Main Invoked.\””
$ = “\”Main Returned.\””
$ = “%sd.%se%sc %s > %s 2>&1”
condition:
all of them
}
As with the sample Bart identified, the control server is not obfuscated in the binary:
Sandboxing of the sample, confirms the malware beacons to this URL:
GET /intro/info/info.asp?id=dn678 HTTP/1.1.
Accept: */*.
Accept-Encoding: gzip, deflate.
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E).
Host: poem.ekosa.org.
Connection: Keep-Alive.
In IDA, we can see the malware uses the standard
LoadLibrary /
GetProcessAddress method for …
Starting off, I’d like to give a shot-out to Brian Bartholomew (Twitter: @Mao_Ware) for his general awesomeness and @DrunkBinary for his post on 30 January from which this research starts.
Using this as a base for the following Yara rule, I found a similar sample (SHA256:
625f63364312cec78a4c91abedba868d551d79185ff73e388f561017b13347f0) also packed with UPX.
rule LazarusDocJan2019_01
{
meta:
author = “Silas Cutler”
description = “Detection for Lazarus Payload from Jan 2019”
ref = “https://twitter.com/DrunkBinary/status/1090625122883510274"
version = “0.1”
strings:
$ = “\”Main Invoked.\””
$ = “\”Main Returned.\””
$ = “%sd.%se%sc %s > %s 2>&1”
condition:
all of them
}
As with the sample Bart identified, the control server is not obfuscated in the binary:
Sandboxing of the sample, confirms the malware beacons to this URL:
GET /intro/info/info.asp?id=dn678 HTTP/1.1.
Accept: */*.
Accept-Encoding: gzip, deflate.
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E).
Host: poem.ekosa.org.
Connection: Keep-Alive.
In IDA, we can see the malware uses the standard
LoadLibrary /
GetProcessAddress method for …
IoC
625f63364312cec78a4c91abedba868d551d79185ff73e388f561017b13347f0
rule LazarusDocJan2019_01
{
meta:
author = “Silas Cutler”
description = “Detection for Lazarus Payload from Jan 2019”
ref = “https://twitter.com/DrunkBinary/status/1090625122883510274"
version = “0.1”
strings:
$ = “\”Main Invoked.\””
$ = “\”Main Returned.\””
$ = “%sd.%se%sc %s > %s 2>&1”
condition:
all of them
}
rule LazarusDocJan2019_01
{
meta:
author = “Silas Cutler”
description = “Detection for Lazarus Payload from Jan 2019”
ref = “https://twitter.com/DrunkBinary/status/1090625122883510274"
version = “0.1”
strings:
$ = “\”Main Invoked.\””
$ = “\”Main Returned.\””
$ = “%sd.%se%sc %s > %s 2>&1”
condition:
all of them
}