LAZARUS & WATERING-HOLE ATTACKS
Contents
This report provides an outline of the attacks based on what was shared in the article, and our own additional findings.
ANALYSIS
As stated in the blog, the attacks are suspected of originating from the website of the Polish Financial Supervision Authority (knf.gov[.]pl), shown below:
From at least 2016-10-07 to late January the website code had been modified to cause visitors to download malicious JavaScript files from the following locations:
hxxp://sap.misapor[.]ch/vishop/view.jsp?pagenum=1
hxxps://www.eye-watch[.]in/design/fancybox/Pnf.action
Both of these appear to be compromised domains given they are also hosting legitimate content and have done for some time. The malicious JavaScript leads to the download of malware to the victim’s device.
Some hashes of the backdoor have been provided in BadCyber's technical analysis:
85d316590edfb4212049c4490db08c4b
c1364bbf63b3617b25b58209e4529d8c
1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae
The C&Cs given in the BadCyber analysis were the following IP addresses:
125.214.195.17
196.29.166.218
LAZARUS MALWARE
Only one of the samples referenced by BadCyber is available in public malware repositories. At the moment we cannot verify that it originated from the watering-hole on the …
ANALYSIS
As stated in the blog, the attacks are suspected of originating from the website of the Polish Financial Supervision Authority (knf.gov[.]pl), shown below:
From at least 2016-10-07 to late January the website code had been modified to cause visitors to download malicious JavaScript files from the following locations:
hxxp://sap.misapor[.]ch/vishop/view.jsp?pagenum=1
hxxps://www.eye-watch[.]in/design/fancybox/Pnf.action
Both of these appear to be compromised domains given they are also hosting legitimate content and have done for some time. The malicious JavaScript leads to the download of malware to the victim’s device.
Some hashes of the backdoor have been provided in BadCyber's technical analysis:
85d316590edfb4212049c4490db08c4b
c1364bbf63b3617b25b58209e4529d8c
1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae
The C&Cs given in the BadCyber analysis were the following IP addresses:
125.214.195.17
196.29.166.218
LAZARUS MALWARE
Only one of the samples referenced by BadCyber is available in public malware repositories. At the moment we cannot verify that it originated from the watering-hole on the …
IoC
125.214.195.17
1507e7a741367745425e0530e23768e6
196.29.166.218
1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae
1f7897b041a812f96f1925138ea38c46
4cc10ab3f4ee6769e520694a10f611d5
6dffcfa68433f886b2e88fd984b4995a
7b4a8be258ecb191c4c519d7c486ed8a
85d316590edfb4212049c4490db08c4b
911de8d67af652a87415f8c0a30688b2
c1364bbf63b3617b25b58209e4529d8c
cb52c013f7af0219d45953bae663c9a2
http://brou.com.uy
http://eye-watch.in
http://knf.gov.pl
http://sap.misapor.ch
http://sap.misapor.ch/vishop/view.jsp?pagenum=1
http://www.cnbv.gob.mx/Prensa/Paginas/Sanciones.aspx
http://www.eye-watch.in
http://www.eye-watch.in/jscroll/images/images.jsp?pagenum=1
http://www.eye-watch.in:443
https://www.eye-watch.in/design/fancybox/Pnf.action
https://www.eye-watch.in/design/fancybox/include/cambio.xap
1507e7a741367745425e0530e23768e6
196.29.166.218
1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae
1f7897b041a812f96f1925138ea38c46
4cc10ab3f4ee6769e520694a10f611d5
6dffcfa68433f886b2e88fd984b4995a
7b4a8be258ecb191c4c519d7c486ed8a
85d316590edfb4212049c4490db08c4b
911de8d67af652a87415f8c0a30688b2
c1364bbf63b3617b25b58209e4529d8c
cb52c013f7af0219d45953bae663c9a2
http://brou.com.uy
http://eye-watch.in
http://knf.gov.pl
http://sap.misapor.ch
http://sap.misapor.ch/vishop/view.jsp?pagenum=1
http://www.cnbv.gob.mx/Prensa/Paginas/Sanciones.aspx
http://www.eye-watch.in
http://www.eye-watch.in/jscroll/images/images.jsp?pagenum=1
http://www.eye-watch.in:443
https://www.eye-watch.in/design/fancybox/Pnf.action
https://www.eye-watch.in/design/fancybox/include/cambio.xap