Operation Dream Job by Lazarus
Contents
Operation Dream Job by Lazarus
Lazarus (also known as Hidden Cobra) is known to use various kinds of malware in its attack operations, and we have introduced some of them in our past articles. In this article, we present two more; Torisma and LCPDot.
Torisma overview
Torisma downloads and executes modules from external servers, and its infection spreads via malicious Word files [1]. Torisma samples that JPCERT/CC has analysed are DLL files and executed as an argument of rundll32.exe. Below is an example of a command argument for Torisma execution.
"C:\Windows\System32\rundll32.exe" C:\ProgramData\USOShared\usosqlite3.dat,sqlite3_create_functionex mssqlite3_server_management jp-JP
By giving a key to decode internal data (mssqlite3_server_management) to export function ("sqlite3_create_functionex" in this example), the malware performs suspicious functions . Torisma's configuration, communication protocol and modules are described in the following sections.
Torisma configuration
Torisma loads C2 servers and other information from a separate file, which is located in the following directory: (Some samples do not load configuration files.)
- %LOCALAPPDATA%.IdentityService\AccountStore.bak
The configuration …
Lazarus (also known as Hidden Cobra) is known to use various kinds of malware in its attack operations, and we have introduced some of them in our past articles. In this article, we present two more; Torisma and LCPDot.
Torisma overview
Torisma downloads and executes modules from external servers, and its infection spreads via malicious Word files [1]. Torisma samples that JPCERT/CC has analysed are DLL files and executed as an argument of rundll32.exe. Below is an example of a command argument for Torisma execution.
"C:\Windows\System32\rundll32.exe" C:\ProgramData\USOShared\usosqlite3.dat,sqlite3_create_functionex mssqlite3_server_management jp-JP
By giving a key to decode internal data (mssqlite3_server_management) to export function ("sqlite3_create_functionex" in this example), the malware performs suspicious functions . Torisma's configuration, communication protocol and modules are described in the following sections.
Torisma configuration
Torisma loads C2 servers and other information from a separate file, which is located in the following directory: (Some samples do not load configuration files.)
- %LOCALAPPDATA%.IdentityService\AccountStore.bak
The configuration …
IoC
0c69fd9be0cc9fadacff2c0bacf59dab6d935b02b5b8d2c9cb049e9545bb55ce
7762ba7ae989d47446da21cd04fd6fb92484dd07d078c7385ded459dedc726f9
9ae9ed06a69baa24e3a539d9ce32c437a6bdc136ce4367b1cb603e728f4279d5
a9334efa9f40a36e7dde7ef1fe3018b2410cd9de80d98cf4e3bb5dd7c78f7fde
ba57f8fcb28b7d1085e2e5e24bf2a463f0fa4bbbeb3f634e5a122d0b8dbb53cc
f77a9875dbf1a1807082117d69bdbdd14eaa112996962f613de4204db34faba7
ff7172d9c888b7a88a7d77372112d772
http://kenpa.org/yokohama/main.php
http://www.hirokawaunso.co.jp/wordpress/wp-includes/ID3/module.audio.mp4.php
https://akramportal.org/public/voice/voice.php
https://inovecommerce.com.br/public/pdf/view.php
https://ja-fc.or.jp/shop/shopping.php
https://mail.clicktocareers.com/dev_clicktocareers/public/mailview.php
https://vega.mh-tec.jp:443/.well-known/index.php
https://www.commodore.com.tr/mobiquo/appExtt/notdefteri/writenote.php
https://www.ecrypt.eu.org/stream/vest.html
https://www.fabianiarte.com/newsletter/arte/view.asp
https://www.index-consulting.jp:443/eng/news/index.php
https://www.leemble.com/5mai-lyon/public/webconf.php
https://www.scimpex.com/admin/assets/backup/requisition/requisition.php
https://www.tronslog.com/public/appstore.php
7762ba7ae989d47446da21cd04fd6fb92484dd07d078c7385ded459dedc726f9
9ae9ed06a69baa24e3a539d9ce32c437a6bdc136ce4367b1cb603e728f4279d5
a9334efa9f40a36e7dde7ef1fe3018b2410cd9de80d98cf4e3bb5dd7c78f7fde
ba57f8fcb28b7d1085e2e5e24bf2a463f0fa4bbbeb3f634e5a122d0b8dbb53cc
f77a9875dbf1a1807082117d69bdbdd14eaa112996962f613de4204db34faba7
ff7172d9c888b7a88a7d77372112d772
http://kenpa.org/yokohama/main.php
http://www.hirokawaunso.co.jp/wordpress/wp-includes/ID3/module.audio.mp4.php
https://akramportal.org/public/voice/voice.php
https://inovecommerce.com.br/public/pdf/view.php
https://ja-fc.or.jp/shop/shopping.php
https://mail.clicktocareers.com/dev_clicktocareers/public/mailview.php
https://vega.mh-tec.jp:443/.well-known/index.php
https://www.commodore.com.tr/mobiquo/appExtt/notdefteri/writenote.php
https://www.ecrypt.eu.org/stream/vest.html
https://www.fabianiarte.com/newsletter/arte/view.asp
https://www.index-consulting.jp:443/eng/news/index.php
https://www.leemble.com/5mai-lyon/public/webconf.php
https://www.scimpex.com/admin/assets/backup/requisition/requisition.php
https://www.tronslog.com/public/appstore.php