Malicious Documents from Lazarus Group Targeting South Korea
Contents
By Chris Doman, Fernando Martinez and Jaime Blasco
We took a brief look at some documents recently discussed and reviewed by researchers in South Korea over the past week. The malware is linked to Lazarus, a reportedly North Korean group of attackers. One malicious document appears to be targeting members of a recent G20 Financial Meeting, seeking coordination of the economic policies between the wealthiest countries. Another is reportedly related to the recent theft of $30 million from the Bithumb crypto-currency exchange in South Korea.
This article stands very much on the shoulders of other work by researchers in South Korea. Credit for initially identifying these documents goes to @issuemakerslab, @_jsoo_ and others.
Malicious Documents
We looked at three similar malicious documents:
-
국제금융체제 실무그룹 회의결과.hwp ("Results of the international financial system working group meeting") - cf09201f02f2edb9c555942a2d6b01d4
- 금융안정 컨퍼런스 개최결과.hwp ("Financial Stability Conference held") - 69ad5bd4b881d6d1fdb7b19939903e0b
- 신재영 전산담당 경력.hwp (“[Name] Computer Experience”) - 06cfc6cda57fb5b67ee3eb0400dd5b97
The decoy document, …
We took a brief look at some documents recently discussed and reviewed by researchers in South Korea over the past week. The malware is linked to Lazarus, a reportedly North Korean group of attackers. One malicious document appears to be targeting members of a recent G20 Financial Meeting, seeking coordination of the economic policies between the wealthiest countries. Another is reportedly related to the recent theft of $30 million from the Bithumb crypto-currency exchange in South Korea.
This article stands very much on the shoulders of other work by researchers in South Korea. Credit for initially identifying these documents goes to @issuemakerslab, @_jsoo_ and others.
Malicious Documents
We looked at three similar malicious documents:
-
국제금융체제 실무그룹 회의결과.hwp ("Results of the international financial system working group meeting") - cf09201f02f2edb9c555942a2d6b01d4
- 금융안정 컨퍼런스 개최결과.hwp ("Financial Stability Conference held") - 69ad5bd4b881d6d1fdb7b19939903e0b
- 신재영 전산담당 경력.hwp (“[Name] Computer Experience”) - 06cfc6cda57fb5b67ee3eb0400dd5b97
The decoy document, …
IoC
06cfc6cda57fb5b67ee3eb0400dd5b97
2813c0ebcacdcf9052f71d51c81e9c52a16b9a69f8981b2c74eab236524ff4b9
2f4a958b148bef4be10780e8128860cdca21ec26537f51cec8960a9e019aa1f0
3cde54dce88a4544bf5ffa36066a184958d4ff74c2e0ce32fdbf91729c0f574e
4838f85499e3c68415010d4f19e83e2c9e3f2302290138abe79c380754f97324
485f77e5d32de5dc05510743025a75af5b6f714e930e22098490b7afb71b737f
58a97c2c731cdf045f26ccc7cba370bd2dfee277a9c43c0421c53593e493f7bc
596fbdf01557c3ec89b345c57ae5d9a0b7251dd8d5a707f7353dd733274c6eb6
5b1663d5eb565caccca188b6ff8a36291da32f368211e6437db339ce2dc2e9cd
69ad5bd4b881d6d1fdb7b19939903e0b
7985af0a87780d27dc52c4f73c38de44e5ad477cb78b2e8e89708168fbc4a882
927120588e6c4e5db5b5a1ea9914cd78a0fa0c9fb558726604747de672c6adf3
a6d1424e1c33ac7a95eb5b92b923c511
afba8105793b635d4ed7febdae4b744826ca8b2381c1b85f5e528bb672ed63c2
c10363059c57c52501c01f85e3bb43533ccc639f0ea57f43bae5736a8e7a9bc8
cf09201f02f2edb9c555942a2d6b01d4
d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3
e498630abe9a91485ba42698a35c2a0d8e13fe5cccde65479bf3033c45e7d431
e76b3fd3e906ac23218b1fbd66fd29c3945ee209a29e9462bbc46b07d1645de2
e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292
eb6275a24d047e3be05c2b4e5f50703d
http://168wangpi.com/include/charset.php
http://ando.co.kr/service/s_top.asp
http://ansetech.co.kr/smarteditor/common.asp
http://bitfiniex.org
http://coinmaketcape.com
http://coinoen.org
http://itaddnet.com
http://mileage.krb.co.kr/common/db_conf.asp
http://tpddata.com
http://wifispeedcheck.net
http://www.028xmz.com/include/common.php
http://www.33cow.com/include/control.php
http://www.51up.com/ace/main.asp
http://www.530hr.com/data/common.php
http://www.97nb.net/include/arc.sglistview.php
http://www.anlway.com/include/arc.search.class.php
http://www.ap8898.com/include/arc.search.class.php
http://www.apshenyihl.com/include/arc.speclist.class.php
http://www.marmarademo.com/include/extend.php
http://www.paulkaren.com/synthpop/main.asp
http://www.shieldonline.co.za/sitemap.asp
https://tpddata.com/skins/skin-6.thm
https://tpddata.com/skins/skin-8.thm
https://www.anlway.com/include/arc.search.class.php
https://www.ap8898.com/include/arc.search.class.php
https://www.apshenyihl.com/include/arc.speclist.class.php
2813c0ebcacdcf9052f71d51c81e9c52a16b9a69f8981b2c74eab236524ff4b9
2f4a958b148bef4be10780e8128860cdca21ec26537f51cec8960a9e019aa1f0
3cde54dce88a4544bf5ffa36066a184958d4ff74c2e0ce32fdbf91729c0f574e
4838f85499e3c68415010d4f19e83e2c9e3f2302290138abe79c380754f97324
485f77e5d32de5dc05510743025a75af5b6f714e930e22098490b7afb71b737f
58a97c2c731cdf045f26ccc7cba370bd2dfee277a9c43c0421c53593e493f7bc
596fbdf01557c3ec89b345c57ae5d9a0b7251dd8d5a707f7353dd733274c6eb6
5b1663d5eb565caccca188b6ff8a36291da32f368211e6437db339ce2dc2e9cd
69ad5bd4b881d6d1fdb7b19939903e0b
7985af0a87780d27dc52c4f73c38de44e5ad477cb78b2e8e89708168fbc4a882
927120588e6c4e5db5b5a1ea9914cd78a0fa0c9fb558726604747de672c6adf3
a6d1424e1c33ac7a95eb5b92b923c511
afba8105793b635d4ed7febdae4b744826ca8b2381c1b85f5e528bb672ed63c2
c10363059c57c52501c01f85e3bb43533ccc639f0ea57f43bae5736a8e7a9bc8
cf09201f02f2edb9c555942a2d6b01d4
d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3
e498630abe9a91485ba42698a35c2a0d8e13fe5cccde65479bf3033c45e7d431
e76b3fd3e906ac23218b1fbd66fd29c3945ee209a29e9462bbc46b07d1645de2
e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292
eb6275a24d047e3be05c2b4e5f50703d
http://168wangpi.com/include/charset.php
http://ando.co.kr/service/s_top.asp
http://ansetech.co.kr/smarteditor/common.asp
http://bitfiniex.org
http://coinmaketcape.com
http://coinoen.org
http://itaddnet.com
http://mileage.krb.co.kr/common/db_conf.asp
http://tpddata.com
http://wifispeedcheck.net
http://www.028xmz.com/include/common.php
http://www.33cow.com/include/control.php
http://www.51up.com/ace/main.asp
http://www.530hr.com/data/common.php
http://www.97nb.net/include/arc.sglistview.php
http://www.anlway.com/include/arc.search.class.php
http://www.ap8898.com/include/arc.search.class.php
http://www.apshenyihl.com/include/arc.speclist.class.php
http://www.marmarademo.com/include/extend.php
http://www.paulkaren.com/synthpop/main.asp
http://www.shieldonline.co.za/sitemap.asp
https://tpddata.com/skins/skin-6.thm
https://tpddata.com/skins/skin-8.thm
https://www.anlway.com/include/arc.search.class.php
https://www.ap8898.com/include/arc.search.class.php
https://www.apshenyihl.com/include/arc.speclist.class.php