lazarusholic

Everyday is lazarus.dayβ

North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group

2017-12-19, Proofpoint
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf, 6.2 MB
#Cryptocurrency #RatankbaPOS #Whitepaper #PowerRatankba

Contents

White paper

North Korea
Bitten by
Bitcoin Bug
Financially motivated campaigns
reveal new dimension of the
Lazarus Group
Darien Huss

www.proofpoint.com


Table of Contents
EXECUTIVE SUMMARY........................................................................................................................................................... 3
OVERVIEW............................................................................................................................................................................... 4
INTRODUCTION...................................................................................................................................................................... 4

PowerRatankba Downloaders......................................................................................................................................5
Campaign Timeline.................................................................................................................................................................... 5
PowerSpritz................................................................................................................................................................................ 6
Windows Shortcut (LNK)............................................................................................................................................................ 8
Microsoft Compiled HTML Help (CHM)..................................................................................................................................... 9
JavaScript Downloaders.......................................................................................................................................................... 11
VBScript Macro Microsoft Office Documents.......................................................................................................................... 13
Backdoored PyInstaller Applications....................................................................................................................................... 15
Implant Description and Analysis..............................................................................................................................18
PowerRatankba Description..................................................................................................................................................... 18
PowerRatankba.A C&C Description......................................................................................................................................... 19
PowerRatankba.B C&C Description........................................................................................................................................ 20
PowerRatankba Persistence.................................................................................................................................................... 20
PowerRatankba.B Stage2 - Gh0st RAT.................................................................................................................................... 21
Gh0st RAT Purpose.................................................................................................................................................................. 23
Shopping Spree: Enter RatankbaPOS..................................................................................................................................... 23
RatankbaPOS Analysis............................................................................................................................................................ 23
RatankbaPOS Targeted Region............................................................................................................................................... 28
Attribution to Lazarus Group......................................................................................................................................28
Encryption................................................................................................................................................................................ 28
Obfuscation.............................................................................................................................................................................. 30
Functionality............................................................................................................................................................................. 30
Code Overlap........................................................................................................................................................................... 31
Decoys..................................................................................................................................................................................... 32
C&C.......................................................................................................................................................................................... 32
CONCLUSION........................................................................................................................................................................ 33

Research Contributions........................................................................................................................................................... 33
Indicators of Compromise (IOCs)............................................................................................................................................ 34
ET and ETPRO Suricata/Snort Signatures............................................................................................................................... 37

North Korea Bitten by Bitcoin Bug

2


Executive Summary
With activity dating at least to 2009, the Lazarus Group has consistently ranked among the most disruptive, successful,
and far-reaching nation-state sponsored actors. The March 20, 2013 attack in South Korea, the Sony Pictures hack in 2014,
the successful theft of $81 million from the Bangladesh Bank in 2014, and perhaps most …

IoC

000102030405060708090A0B0C0D0E0F
01b047e0f3b49f8ab6ebf6795bc72ba7f63d7acbc68f65f1f8f66e34de827e49
030b4525558f2c411f972d91b144870b388380b59372e1798926cc2958242863
100c6400331fa1919958bed122b88f1599a61b3bb113d98b218a535443ebc3a7
122.248.34.23
144.217.51.246
158.69.57.135
1768f2e9cea5f8c97007c6f822531c1c9043c151187c54ebfb289980ff63d666
180.235.133.121
180.235.133.235
192.168.102.21
198.100.157.239
201.139.226.67
201.211.183.215
20f7e342a5f3224cab8f0439e2ba02bb051cd3e1afcd603142a60ac8af9699ba
25f13dca780bafb0001d521ea6e76a3bd4dd74ce137596b948d41794ece59a66
2B7E151628AED2A6ABF7158809CF4F3C
2b05a692518a6102c540e209cb4eb1391b28944fdb270aef7ea47e1ddeff5ae2
3a856d8c835232fe81711680dc098ed2b21a4feda7761ed39405d453b4e949f6
3cd0689b2bae5109caedeb2cf9dd4b3a975ab277fadbbb26065e489565470a5c
3e91f399d207178a5aa6de3d680b58fc3f239004e541a8bff2cc3e851b76e8bb
41ee2947356b26e4d8aca826ae392be932cd8800476840713e9b6c630972604f
41f155f039448edb42c3a566e7b8e150829b97d83109c0c394d199cdcfd20f9b
4eb2dd5e90bda6da5efbd213c8472775bdd16e67bcf559f58802a8c371848212
51.255.219.82
5a162898a38601e41d538f067eaf81d6a038268bc52a86cf13c2e43ca2487c07
6c8c801bb71b2cd90a2c1595092358e46cbfe63e62ef6994345d6969993ea2d6
6cb1e9850dd853880bbaf68ea23243bac9c430df576fa1e679d7f26d56785984
6d4415a2cbedc960c7c7055626c61842b3a3ca4718e2ac0e3d2ac0c7ef41b84d
772b9b873100375c9696d87724f8efa2c8c1484853d40b52c6dc6f7759f5db01
7975c09dd436fededd38acee9769ad367bfe07c769770bd152f33a10ed36529e
79a4b6329e35e23c3974960b2cecc68ee30ce803619158ef3fefcec5d4671c98
81617bd4fa5d6c1a703c40157fbe16c55c11260723b7f63de022fd5dd241bdbf
85a263fc34883fc514be48da2d814f1b43525e63049c6b180c73c8ec00920f51
8f0b83d4ff6d8720e134b467b34728c2823c4d75313ef6dce717b06f414bdf5c
8ff100ca86cb62117f1290e71d5f9c0519661d6c955d9fcfb71f0bbdf75b51b3
92.222.106.229
972b598d709b66b35900dc21c5225e5f0d474f241fefa890b381089afd7d44ee
97c6c69405ed721a64c158f18ab4386e3ade19841b0dea3dcce6b521faf3a660
99ad06cca4910c62e8d6b68801c6122137cf8458083bb58cbc767eebc220180d
9ca3e56dcb2d1b92e88a0d09d8cab2207ee6d1f55bada744ef81e8b8cf155453
9cc69d81613285352ce92ec3cb44227af5daa8ad4e483ecc59427fe23b122fce
9d10911a7bbf26f58b5e39342540761885422b878617f864bfdb16195b7cd0f5
[email protected]
b265a5d984c4654ac0b25ddcf8048d0aabc28e36d3e2439d1c08468842857f46
b3235a703026b2077ccfa20b3dabd82d65c6b5645f7f15e7bbad1ce8173c7960
b46530fa2bd5f9958f664e754ae392dc400bd3fcb1c5adc7130b7374e0409924
b530de08530d1ba19a94bc075e74e2236c106466dedc92be3abdee9908e8cf7e
b66624ab8591c2b10730b7138cbf44703abec62bfc7774d626191468869bf21c
b9cf1cba0f626668793b9624e55c76e2dab56893b21239523f2a2a0281844c6d
bd7332bfbb6fe50a501988c3834a160cf2ad948091d83ef4de31758b27b2fb7f
beecb33ef8adec99bbba3b64245c7230986c3c1a7f3246b0d26c641887387bfe
cbebafb2f4d77967ffb1a74aac09633b5af616046f31dddf899019ba78a55411
d334c40b42d2e6286f0553ae9e6e73e7e7aaec04a85df070b790738d66fd14fb
d5f9a81df5061c69be9c0ed55fba7d796e1a8ebab7c609ae437c574bd7b30b48
d844777dcafcde8622b9472b6cd442c50c3747579868a53a505ef2f5a4f0e26a
db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471
e7581e1f112edc7e9fbb0383dd5780c4f2dd9923c4acc09b407f718ab6f7753d
eab612e333baaec0709f3f213f73388607e495d8af9a2851f352481e996283f1
eb372423e4dcd4665cc03ffc384ff625ae4afd13f6d0589e4568354be271f86e
f2f6b4770718eed349fb7c77429938ac1deae7dd6bcc141ee6f5af9f4501a695
f7f2dd674532056c0d67ef1fb7c8ae8dd0484768604b551ee9b6c4405008fe6b
[email protected]
http://122.248.34.23/lndex.php?t=SkypeSetup&r=mail_new
http://122.248.34.23/lndex.php?t=Telegram&r=1.1.9
http://144.217.51.246
http://158.69.57.135
http://158.69.57.135/theme.gif
http://158.69.57.135:443
http://180.235.133.121/images/img.gif
http://180.235.133.121:443
http://180.235.133.235/img.gif
http://180.235.133.235:443
http://192.168.102.21/power.ps1
http://192.168.102.21/pso.ps1
http://198.100.157.239
http://198.100.157.239/hide.gif
http://198.100.157.239/theme.gif
http://201.139.226.67
http://201.211.183.215:8080/
http://201.211.183.215:8080/pdfviewer.php?o=0&t=report&m=0
http://201.211.183.215:8080/update.php?t=Skype&r=update
http://51.255.219..82/files/download/falconcoin.pdf
http://51.255.219.82
http://51.255.219.82/
http://51.255.219.82/files/download/falconcoin.pdf
http://51.255.219.82/files/download/falconcoin.zip
http://51.255.219.82/theme.gif
http://51.255.219.82:443
http://92.222.106.229
http://92.222.106.229/theme.gif
http://\windows\temp.This
http://africawebcast.com
http://apps.got-game.org
http://apps.got-game.org/files/download/transaction.pdf
http://apps.got-game.org/images/character.gif
http://bitforex.linkpc.net
http://coinbases.org
http://coinbroker.linkpc.net
http://deaftone.com:8080/mainls.cs
http://dogecoin
http://dogecoin.deaftone.com:8080/mainls.cs
http://macintosh.linkpc.net
http://macintosh.linkpc.net:8080/mainls.cs
http://mail.com
http://moneymaker.publicvm.com
http://online-help.serveftp.com
http://online-help.serveftp.com/list.jsp?action=up
http://publicvm.com
http://skype.2.vu/1
http://skype.2.vu/k
http://skypeupdate.2.vu/1
http://telegramupdate.2.vu/5
http://tinyurl.com/y9jbk8cg
http://trade.publicvm.com
http://trade.publicvm.com/images/character.gif
http://trade.publicvm.com/images/top_
http://trade.publicvm.com/images/top_bar.gif
http://vietcasino.linkpc.net
http://vietcasino.linkpc.net:8080/search.jsp
http://www.btc-gold.us/images/top_bar.gif
http://www.businesshop.net
http://www.businesshop.net/hide.gif
http://www.energydonate.com
http://www.energydonate.com/files/download/Bithumb.zip
http://www.energydonate.com/files/download/bithumb.pdf
http://www.energydonate.com/files/download/bithumb.zip
http://www.energydonate.com/images/character.gif
http://www.energydonate.com/list.jsp?action=up
http://www.unsunozo.org
http://www.webkingston.com/top.gif
http://www.webkingston.com/update.jsp?action=need_update
http://xn--6fgp.com
http://xn--bitcin-zxa.org
http://xn--bitcingold-hcb.org
http://xn--bitcingold-jbb.com
http://xn--bitcingold-t3b.com
http://xn--bitcoigold-o1b.com
http://xn--bitcoingld-lcb.com
http://xn--bitcoingld-lcb.org
http://xn--bitcoingldlcb.org
http://xn--bitcoingldwallet-twb.org
http://xn--bitcoingod-8yb.com
http://xn--bitcoingol-4kb.com
http://xn--bitoingold-1ib.com
http://xn--btcoingold-v8a.com
http://xn--btcongold-54ad.com
http://xn--btcongold-g5ad.com
http://xn--electrm-s2a.org
https://bitcoing
https://bitcoingöld.org/
https://bitcoingöld.org/bitcoingold
https://bitcoingöld.org/bitcoingold.exe
https://doc-00-64-docs.googleusercontent.com/docs/securesc/
https://drive.google.com/uc?export=download&id=0B63J1WTZC49hdDR0clR3cFpITVE
https://skype.2.vu/1
https://xn--bitcoingld-lcb.org/
https://xn--electrms2a.org/electrum-3.0.3.exe
[email protected]
[email protected]
[email protected]
[email protected]