Lazarus group leverages Covid themed HWP Document
Contents
Lazarus Group, a North Korean nation-state sponsored threat actor serves as an umbrella for several subgroups and has extensive operations as early as 2009.
Lazarus is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions, as well as some of the world’s largest cyber heists. Based on widely publicized operations alone, the group has attempted to steal more than $1.1 billion. Instead of simply obtaining accesses and moving to transfer funds as quickly as possible, Lazarus is believed to operate more similarly to an espionage operation, carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems.
In a recent campaign, Lazarus is using Covid themed HWP documents targeting South Korea.
One of the executables uploaded from South Korea to Virustotal repository a matched a yara rule for detecting Reflective Loader. This sample caught my attention since it was Covid themed …
Lazarus is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions, as well as some of the world’s largest cyber heists. Based on widely publicized operations alone, the group has attempted to steal more than $1.1 billion. Instead of simply obtaining accesses and moving to transfer funds as quickly as possible, Lazarus is believed to operate more similarly to an espionage operation, carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems.
In a recent campaign, Lazarus is using Covid themed HWP documents targeting South Korea.
One of the executables uploaded from South Korea to Virustotal repository a matched a yara rule for detecting Reflective Loader. This sample caught my attention since it was Covid themed …
IoC
185.62.56.131
186aa05bfe4739274c3c258be4a5a160
8451be72b75a38516e7ba7972729909e
fe2d05365f059d48fd972c79afeee682
http://185.62.56.131
http://afuocolento.it
http://kingsvc.cc
http://mbrainingevents.com
http://sofa.rs
rule ReflectiveLoader {
meta:
description = “Detects a unspecified hack tool, crack or malware using a reflective loader — no hard match — further investigation recommended”
reference = “Internal Research”
score = 60
strings:
$s1 = “ReflectiveLoader” fullword ascii
$s2 = “ReflectivLoader.dll” fullword ascii
$s3 = “?ReflectiveLoader@@” ascii
condition:
uint16(0) == 0x5a4d and (
1 of them or
pe.exports(“ReflectiveLoader”) or
pe.exports(“_ReflectiveLoader@4”) or
pe.exports(“?ReflectiveLoader@@YGKPAX@Z”)
)
}
186aa05bfe4739274c3c258be4a5a160
8451be72b75a38516e7ba7972729909e
fe2d05365f059d48fd972c79afeee682
http://185.62.56.131
http://afuocolento.it
http://kingsvc.cc
http://mbrainingevents.com
http://sofa.rs
rule ReflectiveLoader {
meta:
description = “Detects a unspecified hack tool, crack or malware using a reflective loader — no hard match — further investigation recommended”
reference = “Internal Research”
score = 60
strings:
$s1 = “ReflectiveLoader” fullword ascii
$s2 = “ReflectivLoader.dll” fullword ascii
$s3 = “?ReflectiveLoader@@” ascii
condition:
uint16(0) == 0x5a4d and (
1 of them or
pe.exports(“ReflectiveLoader”) or
pe.exports(“_ReflectiveLoader@4”) or
pe.exports(“?ReflectiveLoader@@YGKPAX@Z”)
)
}