LAZARUS’ FALSE FLAG MALWARE
Contents
BACKGROUNDWe continue to investigate the recent wave of attacks on banks using watering-holes on at least two financial regulator websites as well as others. Our initial analysis of malware disclosed in the BadCyber blog hinted at the involvement of the 'Lazarus' threat actor. Since the release of our report, more samples have come to light, most notably those described in the Polish language niebezpiecznik.pl blog on 7 February 2017.
|MD5 hash||Filename||Compile Time||File Info||Submitted|
|9216b29114fb6713ef228370cbfe4045||srservice.chm||N/A||N/A||N/A|
|8e32fccd70cec634d13795bcb1da85ff||srservice.hlp||N/A||N/A||N/A|
|e29fe3c181ac9ddbb242688b151f3310||srservice.dll||2016-10-22
|
08:08
|Win64 DLL
|
78 KB
|2017-01-28
|
11:58
|9914075cc687bdc352ee136ac6579707||fdsvc.exe||2016-08-26
|
04:19
|Win64 EXE
|
60 KB
|2017-02-05
|
15:14
|9cc6854bc5e217104734043c89dc4ff8||fdsvc.dll||2016-08-26
|
04:11
|Encrypted
|
470 KB
|2017-02-05
|
15:15
Of the hashes provided, only three samples could be found in public malware repositories. All three had been submitted from Poland in recent weeks.
In the analysis section below we examine these and the ‘false flag’ approach employed by the attackers in order to spoof the origin of the attack. The same ‘false flag’ approach was also found in the SWF-based exploit mentioned in our previous blogpost:
|MD5 hash||Filename||File Info||Submitted|
|6dffcfa68433f886b2e88fd984b4995a||cambio.swf||Adobe Flash||2016-12-07 23:15|
Here we’ll analyse these files …
|MD5 hash||Filename||Compile Time||File Info||Submitted|
|9216b29114fb6713ef228370cbfe4045||srservice.chm||N/A||N/A||N/A|
|8e32fccd70cec634d13795bcb1da85ff||srservice.hlp||N/A||N/A||N/A|
|e29fe3c181ac9ddbb242688b151f3310||srservice.dll||2016-10-22
|
08:08
|Win64 DLL
|
78 KB
|2017-01-28
|
11:58
|9914075cc687bdc352ee136ac6579707||fdsvc.exe||2016-08-26
|
04:19
|Win64 EXE
|
60 KB
|2017-02-05
|
15:14
|9cc6854bc5e217104734043c89dc4ff8||fdsvc.dll||2016-08-26
|
04:11
|Encrypted
|
470 KB
|2017-02-05
|
15:15
Of the hashes provided, only three samples could be found in public malware repositories. All three had been submitted from Poland in recent weeks.
In the analysis section below we examine these and the ‘false flag’ approach employed by the attackers in order to spoof the origin of the attack. The same ‘false flag’ approach was also found in the SWF-based exploit mentioned in our previous blogpost:
|MD5 hash||Filename||File Info||Submitted|
|6dffcfa68433f886b2e88fd984b4995a||cambio.swf||Adobe Flash||2016-12-07 23:15|
Here we’ll analyse these files …
IoC
6dffcfa68433f886b2e88fd984b4995a
889e320cf66520485e1a0475107d7419
8e32fccd70cec634d13795bcb1da85ff
9216b29114fb6713ef228370cbfe4045
9914075cc687bdc352ee136ac6579707
9cc6854bc5e217104734043c89dc4ff8
e29fe3c181ac9ddbb242688b151f3310
889e320cf66520485e1a0475107d7419
8e32fccd70cec634d13795bcb1da85ff
9216b29114fb6713ef228370cbfe4045
9914075cc687bdc352ee136ac6579707
9cc6854bc5e217104734043c89dc4ff8
e29fe3c181ac9ddbb242688b151f3310