Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator
Contents
Goal: Document and dissect the latest Lazarus Windows 32-bit (x86) version involved in the crypto trading application distribution targeting Windows and macOS users. The malware and the campaign were originally discovered by MalwareHunterTeam.
Where we found it now?: https://www.jmttrading[.]org/ (Sectigo cert from July 11) -> https://github[.]com/jmttrading/JMTTrader/releases -> JMTTrader_Win.msi - signed installer (Sectigo given cert too) -> drops signed CrashReporter.exe to AppData.
(The Mac .dmg has malware too...) pic.twitter.com/7r3SuWbItP
— MalwareHunterTeam (@malwrhunterteam) October 11, 2019
Source:
Signed Windows .msi SHA-256:
07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542
Signed Windows malware SHA-256:
9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641
macOS .dmg SHA-256:
e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55
macOS malware SHA-256:
4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806
Outline:
I. Background & Summary
II. Lazarus Windows 32-bit (x86) Loader/Backdoor Internals
III. Command Line Check Function
IV. Encoder Function
V. Malware Capabilities
VI. Lazarus Loader/Backdoor: ADVObfuscator as "snowman" Library
I. Background & Summary
The purported North Korean state-sponsored group known as “Lazarus” appears to continue targeting crypto users via elaborate and sophisticated malware distribution methodology by setting up the website, Twitter, and GitHub account as well as leveraging digital certificate for the Windows malware specifically.
Previously, Kaspersky researchers …
Where we found it now?: https://www.jmttrading[.]org/ (Sectigo cert from July 11) -> https://github[.]com/jmttrading/JMTTrader/releases -> JMTTrader_Win.msi - signed installer (Sectigo given cert too) -> drops signed CrashReporter.exe to AppData.
(The Mac .dmg has malware too...) pic.twitter.com/7r3SuWbItP
— MalwareHunterTeam (@malwrhunterteam) October 11, 2019
Source:
Signed Windows .msi SHA-256:
07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542
Signed Windows malware SHA-256:
9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641
macOS .dmg SHA-256:
e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55
macOS malware SHA-256:
4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806
Outline:
I. Background & Summary
II. Lazarus Windows 32-bit (x86) Loader/Backdoor Internals
III. Command Line Check Function
IV. Encoder Function
V. Malware Capabilities
VI. Lazarus Loader/Backdoor: ADVObfuscator as "snowman" Library
I. Background & Summary
The purported North Korean state-sponsored group known as “Lazarus” appears to continue targeting crypto users via elaborate and sophisticated malware distribution methodology by setting up the website, Twitter, and GitHub account as well as leveraging digital certificate for the Windows malware specifically.
Previously, Kaspersky researchers …
IoC
07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542
4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806
9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641
e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55
https://github.com/jmttrading/JMTTrader/releases
https://www.jmttrading.org/
4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806
9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641
e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55
https://github.com/jmttrading/JMTTrader/releases
https://www.jmttrading.org/