Recent Lazarus Tools
Contents
On 10 January 2019, Spanish-language media outlets reported an attempted intrusion into Redbanc, a Chilean interbank network. Components of the malware used in this attack share characteristics with toolsets typically attributed to North Korean adversaries, including tools possibly related to operations against other financially-affiliated entities in Vietnam. Furthermore, additional public data suggests with low confidence the possibility of similar activity taking place in Pakistan.
Redbanc Attack
Per the aforementioned Spanish-language media reporting, the attempted intrusion into Redbanc’s network occurred when an employee attempted to apply for a (fake) developer position via LinkedIn and was contacted by the adversary. After establishing a relationship with the developer, the adversary requested that the developer install a program named “ApplicationPDF.exe,” which allowed the adversary onto the network.
ApplicationPDF.exe
MD5: b484b0dff093f358897486b58266d069
SHA1: a20ef335481c2b3a942df1879fca7762f2c69704
SHA256: f12db45c32bda3108adb8ae7363c342fdd5f10342945b115d830701f95c54fa9
C2: ecombox[.]store
ApplicationPDF.exe is written in .NET and has two primary purposes:
1) The file presents a fake job application form to the user in which they can fill …
Redbanc Attack
Per the aforementioned Spanish-language media reporting, the attempted intrusion into Redbanc’s network occurred when an employee attempted to apply for a (fake) developer position via LinkedIn and was contacted by the adversary. After establishing a relationship with the developer, the adversary requested that the developer install a program named “ApplicationPDF.exe,” which allowed the adversary onto the network.
ApplicationPDF.exe
MD5: b484b0dff093f358897486b58266d069
SHA1: a20ef335481c2b3a942df1879fca7762f2c69704
SHA256: f12db45c32bda3108adb8ae7363c342fdd5f10342945b115d830701f95c54fa9
C2: ecombox[.]store
ApplicationPDF.exe is written in .NET and has two primary purposes:
1) The file presents a fake job application form to the user in which they can fill …
IoC
26466867557f84dd4784845280da1f27
34404a3fb9804977c6ab86cb991fb130
38.132.124.250
791205487bae0ac814440573e992ba2ed259dca45c4e51874325a8a673fa5ef6
89.249.65.220
9ff715209d99d2e74e64f9db894c114a8d13229a
a20ef335481c2b3a942df1879fca7762f2c69704
b345e6fae155bfaf79c67b38cf488bb17d5be56d
b484b0dff093f358897486b58266d069
bda82f0d9e2cb7996d2eefdd1e5b41c4
c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec
ed7fcb9023d63cd9367a3a455ec94337bb48628a
f12db45c32bda3108adb8ae7363c342fdd5f10342945b115d830701f95c54fa9
f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de
http://38.132.124.250
http://89.249.65.220
http://ecombox.store
34404a3fb9804977c6ab86cb991fb130
38.132.124.250
791205487bae0ac814440573e992ba2ed259dca45c4e51874325a8a673fa5ef6
89.249.65.220
9ff715209d99d2e74e64f9db894c114a8d13229a
a20ef335481c2b3a942df1879fca7762f2c69704
b345e6fae155bfaf79c67b38cf488bb17d5be56d
b484b0dff093f358897486b58266d069
bda82f0d9e2cb7996d2eefdd1e5b41c4
c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec
ed7fcb9023d63cd9367a3a455ec94337bb48628a
f12db45c32bda3108adb8ae7363c342fdd5f10342945b115d830701f95c54fa9
f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de
http://38.132.124.250
http://89.249.65.220
http://ecombox.store