North Korea’s Lazarus: their initial access trade-craft using social media and social engineering
Contents
North Korea’s Lazarus: their initial access trade-craft using social media and social engineering
This research was conducted by Michael Matthews and Nikolaos Pantazopoulos from NCC Group Cyber Incident Response Team. You can find more here Incident Response – NCC Group
tl;dr
This blog post documents some of the actions taken during the initial access phase for an attack attributed to Lazarus, along with analysis of the malware that was utilised during this phase.
The methods used in order to gain access to a victim network are widely reported however, nuances in post-exploitation provide a wealth of information on attack paths and threat hunting material that relate closely to TTP’s of the Lazarus group.
In summary, we identified the following findings:
- Lazarus used LinkedIn profiles to impersonate employees of other legitimate companies
- Lazarus communicated with target employees through communication channels such as WhatsApp.
- Lazarus entices victims to download job adverts (zip files) containing malicious documents that …
This research was conducted by Michael Matthews and Nikolaos Pantazopoulos from NCC Group Cyber Incident Response Team. You can find more here Incident Response – NCC Group
tl;dr
This blog post documents some of the actions taken during the initial access phase for an attack attributed to Lazarus, along with analysis of the malware that was utilised during this phase.
The methods used in order to gain access to a victim network are widely reported however, nuances in post-exploitation provide a wealth of information on attack paths and threat hunting material that relate closely to TTP’s of the Lazarus group.
In summary, we identified the following findings:
- Lazarus used LinkedIn profiles to impersonate employees of other legitimate companies
- Lazarus communicated with target employees through communication channels such as WhatsApp.
- Lazarus entices victims to download job adverts (zip files) containing malicious documents that …
IoC
0A6F762A47557E369DB8655A0D14AB088926E05B
13.88.245.250
49C2821A940846BDACB8A3457BE4663C
AFBCB626B770B1F87FF9B5721D2F3235
D25A4F20C0B9D982D63FC0135798384C17226B55
F4E314E8007104974681D92267673AC22721F756D8E1925142D9C26DC8A0FFB4
FD02E0F5FCF97022AC266A3E54888080F66760D731903FC32DF2E17E6E1E4C64
http://13.88.245.250
http://ats.apvit.com
http://bugs-hpsm.mobitechnologies.com
http://global-job.org
http://globaljobs.org
http://shoppingbagsdirect.com
http://thefrostery.co.uk
13.88.245.250
49C2821A940846BDACB8A3457BE4663C
AFBCB626B770B1F87FF9B5721D2F3235
D25A4F20C0B9D982D63FC0135798384C17226B55
F4E314E8007104974681D92267673AC22721F756D8E1925142D9C26DC8A0FFB4
FD02E0F5FCF97022AC266A3E54888080F66760D731903FC32DF2E17E6E1E4C64
http://13.88.245.250
http://ats.apvit.com
http://bugs-hpsm.mobitechnologies.com
http://global-job.org
http://globaljobs.org
http://shoppingbagsdirect.com
http://thefrostery.co.uk