Lazarus Under The Hood
Contents
LAZARUS UNDER THE HOOD
Executive Summary
The Lazarus Group’s activity spans multiple years, going back as far as 2009. Its malware has
been found in many serious cyberattacks, such as the massive data leak and file wiper attack
on Sony Pictures Entertainment in 2014; the cyberespionage campaign in South Korea, dubbed
Operation Troy, in 2013; and Operation DarkSeoul, which attacked South Korean media and
financial companies in 2013.
There have been several attempts to attribute one of the biggest cyberheists, in Bangladesh in
2016, to Lazarus Group. Researchers discovered a similarity between the backdoor used in
Bangladesh and code in one of the Lazarus wiper tools. This was the first attempt to link the
attack back to Lazarus. However, as new facts emerged in the media, claiming that there were
at least three independent attackers in Bangladesh, any certainty about who exactly attacked
the banks systems, and was behind one of the biggest ever bank heists in history, vanished.
The only thing …
Executive Summary
The Lazarus Group’s activity spans multiple years, going back as far as 2009. Its malware has
been found in many serious cyberattacks, such as the massive data leak and file wiper attack
on Sony Pictures Entertainment in 2014; the cyberespionage campaign in South Korea, dubbed
Operation Troy, in 2013; and Operation DarkSeoul, which attacked South Korean media and
financial companies in 2013.
There have been several attempts to attribute one of the biggest cyberheists, in Bangladesh in
2016, to Lazarus Group. Researchers discovered a similarity between the backdoor used in
Bangladesh and code in one of the Lazarus wiper tools. This was the first attempt to link the
attack back to Lazarus. However, as new facts emerged in the media, claiming that there were
at least three independent attackers in Bangladesh, any certainty about who exactly attacked
the banks systems, and was behind one of the biggest ever bank heists in history, vanished.
The only thing …
IoC
02f75c2b47b1733f1889d6bbc026157c
06cd99f0f9f152655469156059a8ea25
072245dc2339f8cd8d9d56b479ba5b8a0d581ced
07e13b985c79ef10802e75aadfac6408
09a77c0cb8137df82efc0de5c7fee46e
0abdaebbdbd5e6507e6db15f628d6fd7
100.158.242.245
129.221.254.13
16a278d0ec24458c8e47672529835117
17bc6f5b672b7e128cd5df51cdf10d37
198760a270a19091582a5bd841fbaec0
1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae
1d0e79feb6d7ed23eb1bf7f257ce4fee
1eff40761643f310a5cd7449230d5cfe9bc2e15f
218.224.125.66
268dca9ad0dcb4d95f95a80ec621924f
2963cd266e54bd136a966bf491507bbf
2de01aac95f8703163da7633993fb447
2ef2703cfc9f6858ad9527588198b1b6
37.87.25.23
3b1dfeb298d0fb27c31944907d900c1d
459593079763f4ae74986070f47452cf
46.100.250.10
474f08fb4a0b8c9e1b88349098de10b1
487f64dc8e98e443886b994b121f4a0c3b1aa43f
4f0d7a33d23d53c0eb8b34d102cdd660fc5323a2
53.250.8.254
579e45a09dc2370c71515bd0870b2078
5d0ffbc8389f27b0649696f0ef5b3cfe
5ebfe9a9ab9c2c4b200508ae5d91f067
5fbfeec97e967325af49fa4f65bb2265
62.201.235.227
67.65.229.53
6eec1de7708020a25ee38a0822a59e88
7260340b7d7b08b7a9c7e27d9226e17b7170a436
73.245.147.162
7413f08e12f7a4b48342a4b530c8b785
76.9.60.204
77c7a17ccd4775b2173a24cd358ad3f2676c3452
82.144.131.5
8387ceba0c020a650e1add75d24967f2
85d316590edfb4212049c4490db08c4b
87.151.206.56
88.223.23.193
9.173.0.74
93e7e7c93cf8060eeafdbe47f67966247be761e0dfd11a23a3a055cf6b634120
949e1e35e09b25fca3927d3878d72bf4
954f50301207c52e7616cc490b8b4d3c
964ba2c98b42e76f087789ab5f64e75dd370841a
9d1db33d89ce9d44354dcba9ebba4c2d
a0c02ce526d5c348519905710935e22583d81be7
a107f1046f5224fdb3a5826fa6f940a981fe65a1
aa115e6587a535146b7493d6c02896a7d322879e
ad5485fac7fed74d112799600edb2fbf
b135a56b0486eb4c85e304e636996ba1
b9353e2e22cb69a9cd967181107113a12197c645
b9be8d53542f5b4abad4687a891b1c03
bbd703f0d6b1cad4ff8f3d2ee3cc073c
bedceafa2109139c793cb158cec9fa48f980ff2b
c1364bbf63b3617b25b58209e4529d8c
c635e0aa816ba5fe6500ca9ecf34bd06
cb65d885f4799dbdf80af2214ecdc5fa
ce6e55abfe1e7767531eaf1036a5db3d
d7d724718065b2f386623dfaa8d1c4d22df7b72c
e29fe3c181ac9ddbb242688b151f3310
e62a52073fd7bfd251efca9906580839
f5e0f57684e9da7ef96dd459b554fded
fde55de117cc611826db0983bc054624
http://218.224.125.66
http://46.100.250.10
http://62.201.235.227
http://67.65.229.53
http://73.245.147.162:443
http://76.9.60.204
http://82.144.131.5
http://82.144.131.5:443
http://82.144.131.5:8080
http://exbonus.mrbasic.com
http://exbonus.mrbasic.com:443
http://movis-es.ignorelist.com
http://movis-es.ignorelist.com:443
http://sap.misapor.ch
http://sap.misapor.ch:443/vishop/include/cambio.swf
http://tradeboard.mefound.com
http://tradeboard.mefound.com:443
http://update.toythieves.com:443
http://update.toythieves.com:8080
http://www.eye-watch.in/design/img/perfmon.dat
http://www.knf.gov.pl
http://www.knf.gov.pl/DefaultDesign/Layouts/KNF2013/resources/accordian-src.js?ver=11
https://github.com/jedisct1/spritz/blob/master/spritz.c
https://sap.misapor.ch/vishop/include/cambio.swf
https://sap.misapor.ch/vishop/view.jsp
https://sap.misapor.ch/vishop/view.jsp?pagenum=1
https://sap.misapor.ch/vishop/view.jsp?uid=[redacted]&pagenum=3&eid=00000002&s=2
https://www.knf.gov.pl/opracowania/sektor_bankowy/index.html
06cd99f0f9f152655469156059a8ea25
072245dc2339f8cd8d9d56b479ba5b8a0d581ced
07e13b985c79ef10802e75aadfac6408
09a77c0cb8137df82efc0de5c7fee46e
0abdaebbdbd5e6507e6db15f628d6fd7
100.158.242.245
129.221.254.13
16a278d0ec24458c8e47672529835117
17bc6f5b672b7e128cd5df51cdf10d37
198760a270a19091582a5bd841fbaec0
1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae
1d0e79feb6d7ed23eb1bf7f257ce4fee
1eff40761643f310a5cd7449230d5cfe9bc2e15f
218.224.125.66
268dca9ad0dcb4d95f95a80ec621924f
2963cd266e54bd136a966bf491507bbf
2de01aac95f8703163da7633993fb447
2ef2703cfc9f6858ad9527588198b1b6
37.87.25.23
3b1dfeb298d0fb27c31944907d900c1d
459593079763f4ae74986070f47452cf
46.100.250.10
474f08fb4a0b8c9e1b88349098de10b1
487f64dc8e98e443886b994b121f4a0c3b1aa43f
4f0d7a33d23d53c0eb8b34d102cdd660fc5323a2
53.250.8.254
579e45a09dc2370c71515bd0870b2078
5d0ffbc8389f27b0649696f0ef5b3cfe
5ebfe9a9ab9c2c4b200508ae5d91f067
5fbfeec97e967325af49fa4f65bb2265
62.201.235.227
67.65.229.53
6eec1de7708020a25ee38a0822a59e88
7260340b7d7b08b7a9c7e27d9226e17b7170a436
73.245.147.162
7413f08e12f7a4b48342a4b530c8b785
76.9.60.204
77c7a17ccd4775b2173a24cd358ad3f2676c3452
82.144.131.5
8387ceba0c020a650e1add75d24967f2
85d316590edfb4212049c4490db08c4b
87.151.206.56
88.223.23.193
9.173.0.74
93e7e7c93cf8060eeafdbe47f67966247be761e0dfd11a23a3a055cf6b634120
949e1e35e09b25fca3927d3878d72bf4
954f50301207c52e7616cc490b8b4d3c
964ba2c98b42e76f087789ab5f64e75dd370841a
9d1db33d89ce9d44354dcba9ebba4c2d
a0c02ce526d5c348519905710935e22583d81be7
a107f1046f5224fdb3a5826fa6f940a981fe65a1
aa115e6587a535146b7493d6c02896a7d322879e
ad5485fac7fed74d112799600edb2fbf
b135a56b0486eb4c85e304e636996ba1
b9353e2e22cb69a9cd967181107113a12197c645
b9be8d53542f5b4abad4687a891b1c03
bbd703f0d6b1cad4ff8f3d2ee3cc073c
bedceafa2109139c793cb158cec9fa48f980ff2b
c1364bbf63b3617b25b58209e4529d8c
c635e0aa816ba5fe6500ca9ecf34bd06
cb65d885f4799dbdf80af2214ecdc5fa
ce6e55abfe1e7767531eaf1036a5db3d
d7d724718065b2f386623dfaa8d1c4d22df7b72c
e29fe3c181ac9ddbb242688b151f3310
e62a52073fd7bfd251efca9906580839
f5e0f57684e9da7ef96dd459b554fded
fde55de117cc611826db0983bc054624
http://218.224.125.66
http://46.100.250.10
http://62.201.235.227
http://67.65.229.53
http://73.245.147.162:443
http://76.9.60.204
http://82.144.131.5
http://82.144.131.5:443
http://82.144.131.5:8080
http://exbonus.mrbasic.com
http://exbonus.mrbasic.com:443
http://movis-es.ignorelist.com
http://movis-es.ignorelist.com:443
http://sap.misapor.ch
http://sap.misapor.ch:443/vishop/include/cambio.swf
http://tradeboard.mefound.com
http://tradeboard.mefound.com:443
http://update.toythieves.com:443
http://update.toythieves.com:8080
http://www.eye-watch.in/design/img/perfmon.dat
http://www.knf.gov.pl
http://www.knf.gov.pl/DefaultDesign/Layouts/KNF2013/resources/accordian-src.js?ver=11
https://github.com/jedisct1/spritz/blob/master/spritz.c
https://sap.misapor.ch/vishop/include/cambio.swf
https://sap.misapor.ch/vishop/view.jsp
https://sap.misapor.ch/vishop/view.jsp?pagenum=1
https://sap.misapor.ch/vishop/view.jsp?uid=[redacted]&pagenum=3&eid=00000002&s=2
https://www.knf.gov.pl/opracowania/sektor_bankowy/index.html