Paleontology: The Unknown Origins of Lazarus malware
Contents
INTRODUCTION
As seen by security researchers across the world and proven in a joint research by McAfee and Intezer, Lazarus, one of the groups operating from North Korea, has consistently reused code in their malware toolset. There is a common pattern among the code of the malware that researchers and reverse engineers alike find during their analysis. It has already been known that they have used open source projects, like one from CodeProject we documented in another blog post, or open source RATs like Gh0st RAT.
This code, as described, has always been thought to be created originally by the DPRK since the time they are thought to have started being active in 2007 until the present. We recently found some samples via our Vaccine feature (Yara signatures) on VirusTotal with very low detections dating back to 2016 which led us to find the origins of their toolset – an open source …
As seen by security researchers across the world and proven in a joint research by McAfee and Intezer, Lazarus, one of the groups operating from North Korea, has consistently reused code in their malware toolset. There is a common pattern among the code of the malware that researchers and reverse engineers alike find during their analysis. It has already been known that they have used open source projects, like one from CodeProject we documented in another blog post, or open source RATs like Gh0st RAT.
This code, as described, has always been thought to be created originally by the DPRK since the time they are thought to have started being active in 2007 until the present. We recently found some samples via our Vaccine feature (Yara signatures) on VirusTotal with very low detections dating back to 2016 which led us to find the origins of their toolset – an open source …
IoC
068b89e2ec5655d006f2788ea328e5f12bd57ba761ee03c4de2fb0aa01c92c7f
1b6a1320fba00dd2e56e35cf6f11f941deabcb6e4dba7ea773ded7e3d648ec54
458ffcc41959599f8dab1fd4366c9a50efefa376e42971c4a436aa7fd697a396
4915f53221dc7786710a7a82a9cb00cf8468e0d1155a1355c9eb17e8cddfd265
6724c041fe0df61a619006bf1df4a759f4f22a65e2afda32501760ebc9ebe25d
926a2e8c2baa90d504d48c0d50ca73e0f400d565ee6e07ad6dafdd0d7b948b0e
c62ec66e45098d2c41bfd7a674a5f76248cf4954225c2d3a2cfcd023daa93522
d1cf03fbcb6471d44b914c2720821582fb3dd81cb543f325b2780a5e95046395
ec73fe2ecc2e0425e4aeb1f01581b50c5b1f8e85475c20ea409de798e6469608
f4b7b36e9c940937748d5bba3beb82b7c3636f084e5e913c7a5ad3ad623ffbc5
http://plsong.com/xe/addons/counter/conf/write_ok.php
http://pudn.com
http://ready-jetkorea.com/data/file/pop/write_ok.php
1b6a1320fba00dd2e56e35cf6f11f941deabcb6e4dba7ea773ded7e3d648ec54
458ffcc41959599f8dab1fd4366c9a50efefa376e42971c4a436aa7fd697a396
4915f53221dc7786710a7a82a9cb00cf8468e0d1155a1355c9eb17e8cddfd265
6724c041fe0df61a619006bf1df4a759f4f22a65e2afda32501760ebc9ebe25d
926a2e8c2baa90d504d48c0d50ca73e0f400d565ee6e07ad6dafdd0d7b948b0e
c62ec66e45098d2c41bfd7a674a5f76248cf4954225c2d3a2cfcd023daa93522
d1cf03fbcb6471d44b914c2720821582fb3dd81cb543f325b2780a5e95046395
ec73fe2ecc2e0425e4aeb1f01581b50c5b1f8e85475c20ea409de798e6469608
f4b7b36e9c940937748d5bba3beb82b7c3636f084e5e913c7a5ad3ad623ffbc5
http://plsong.com/xe/addons/counter/conf/write_ok.php
http://pudn.com
http://ready-jetkorea.com/data/file/pop/write_ok.php