RIFT: Analysing a Lazarus Shellcode Execution Method
Contents
RIFT: Analysing a Lazarus Shellcode Execution Method
About the Research and Intelligence Fusion Team (RIFT):
RIFT leverages our strategic analysis, data science, and threat hunting capabilities to create actionable threat intelligence, ranging from IOCs and detection capabilities to strategic reports on tomorrow’s threat landscape. Cyber security is an arms race where both attackers and defenders continually update and improve their tools and ways of working. To ensure that our managed services remain effective against the latest threats, NCC Group operates a Global Fusion Center with Fox-IT at its core. This multidisciplinary team converts our leading cyber threat intelligence into powerful detection strategies.
On January 21st, the following malware sample was shared by CheckPoint research team via Twitter. The post mentions that this loader belongs to Lazarus group. The modus operandi of phishing with macro documents disguised as job descriptions (via LinkedIn), was also recently documented by ESET in their Operation In(ter)ception paper.
After analysing …
About the Research and Intelligence Fusion Team (RIFT):
RIFT leverages our strategic analysis, data science, and threat hunting capabilities to create actionable threat intelligence, ranging from IOCs and detection capabilities to strategic reports on tomorrow’s threat landscape. Cyber security is an arms race where both attackers and defenders continually update and improve their tools and ways of working. To ensure that our managed services remain effective against the latest threats, NCC Group operates a Global Fusion Center with Fox-IT at its core. This multidisciplinary team converts our leading cyber threat intelligence into powerful detection strategies.
On January 21st, the following malware sample was shared by CheckPoint research team via Twitter. The post mentions that this loader belongs to Lazarus group. The modus operandi of phishing with macro documents disguised as job descriptions (via LinkedIn), was also recently documented by ESET in their Operation In(ter)ception paper.
After analysing …
IoC
47a342545d8df9c2c1e0e945f2c4fca3a440dc00cff40727abff12d307c8c788
949bfce2125d76f2d21084f187c681397d113e1bbdc550694a7bce7f451a6e69
bdf9fffe1c9ffbeec307c536a2369eefb2a2c5d70f33a1646a15d6d152c2a6fa
c0c8a97a04b4d3c7709760fcbe36dc61e3cec294ed4180069131df53b4211da3
cabb45c99ffd8dd189e4e3ed5158fac1d0de4e2782dd704b2b595db5f63e2610
d6b55dae813a4acd461d1d36ff7ef2597b6a8112feb07fac0cfc46af963690dc
f188eec1268fd49bdc7375fc5b77ded657c150875fede1a4d797f818d2514e88
http://crmute.com/custom.css
http://ropgadget.com/posts/abusing_win_functions.html
949bfce2125d76f2d21084f187c681397d113e1bbdc550694a7bce7f451a6e69
bdf9fffe1c9ffbeec307c536a2369eefb2a2c5d70f33a1646a15d6d152c2a6fa
c0c8a97a04b4d3c7709760fcbe36dc61e3cec294ed4180069131df53b4211da3
cabb45c99ffd8dd189e4e3ed5158fac1d0de4e2782dd704b2b595db5f63e2610
d6b55dae813a4acd461d1d36ff7ef2597b6a8112feb07fac0cfc46af963690dc
f188eec1268fd49bdc7375fc5b77ded657c150875fede1a4d797f818d2514e88
http://crmute.com/custom.css
http://ropgadget.com/posts/abusing_win_functions.html