The Blockbuster Sequel
Contents
Unit 42 has identified malware with recent compilation and distribution timestamps that has code, infrastructure, and themes overlapping with threats described previously in the Operation Blockbuster report, written by researchers at Novetta. This report details the activities from a group they named Lazarus, their tools, and the techniques they use to infiltrate computer networks. The Lazarus group is tied to the 2014 attack on Sony Pictures Entertainment and the 2013 DarkSeoul attacks.
This recently identified activity is targeting Korean speaking individuals, while the threat actors behind the attack likely speak both Korean and English. This blog will detail the recently discovered samples, their functionality, and their ties to the threat group behind Operation Blockbuster.
Initial Discovery and Delivery
This investigation began when we identified two malicious Word document files in AutoFocus threat intelligence tool. While we cannot be certain how the documents were sent to the targets, phishing emails are highly likely. One …
This recently identified activity is targeting Korean speaking individuals, while the threat actors behind the attack likely speak both Korean and English. This blog will detail the recently discovered samples, their functionality, and their ties to the threat group behind Operation Blockbuster.
Initial Discovery and Delivery
This investigation began when we identified two malicious Word document files in AutoFocus threat intelligence tool. While we cannot be certain how the documents were sent to the targets, phishing emails are highly likely. One …
IoC
02d74124957b6de4b087a7d12efa01c43558bf6bdaccef9926a022bcffcdcfea
032ccd6ae0a6e49ac93b7bd10c7d249f853fff3f5771a1fe3797f733f09db5a0
040d20357cbb9e950a3dd0b0e5c3260b96b7d3a9dfe15ad3331c98835caa8c63
09fc4219169ce7aac5e408c7f5c7bfde10df6e48868d7b470dc7ce41ee360723
0c5cdbf6f043780dc5fff4b7a977a1874457cc125b4d1da70808bfa720022477
103.224.82.154
1322b5642e19586383e663613188b0cead91f30a0ab1004bf06f10d8b15daf65
1491896d42eb975400958b2c575522d2d73ffa3eb8bdd3eb5af1c666a66aeb08
180.67.205.101
182.70.113.138
18579d1cc9810ca0b5230e8671a16f9e65b9c9cdd268db6c3535940c30b12f9e
193.189.144.145
199.26.11.17
19b23f169606bd390581afe1b27c2c8659d736cbfa4c3e58ed83a287049522f6
1efffd64f2215e2b574b9f8892bbb3ab6e0f98cf0684e479f1a67f0f521ec0fe
209.105.242.64
211.233.13.11
211.233.13.62
211.236.42.52
211.49.171.243
218.103.37.22
221.138.17.152
221.161.82.208
23.115.75.188
31e8a920822ee2a273eb91ec59f5e93ac024d3d7ee794fa6e0e68137734e0443
440dd79e8e5906f0a73b80bf0dc58f186cb289b4edb9e5bc4922d4e197bce10c
446ce29f6df3ac2692773e0a9b2a973d0013e059543c858554ac8200ba1d09cf
49ecead98ebc750cf0e1c48fccf5c4b07fadef653be034cdcdcd7ba654f713af
520778a12e34808bd5cf7b3bdf7ce491781654b240d315a3a4d7eff50341fb18
557c63737bf6752eba32bd688eb046c174e53140950e0d91ea609e7f42c80062
5c10b34e99b0f0681f79eaba39e3fe60e1a03ec43faf14b28850be80830722cb
600ddacdf16559135f6e581d41b30d0867aae313fbaf66eb4d18345b2136cdd7
61.100.180.9
61.78.63.95
644c01322628adf8574d69afe25c4eb2cdc0bfa400e689645c2ab80becbacc33
6a34f4ce012e52f5f94c1a163111df8b1c5b96c8dc0836ba600c2da84059c6ad
6ccb8a10e253cddd8d4c4b85d19bbb288b56b8174a3f1f2fe1f9151732e1a7da
77a32726af6205d27999b9a564dd7b020dc0a8f697a81a8f597b971140e28976
79fe6576d0a26bd41f1f3a3a7bfeff6b5b7c867d624b004b21fadfdd49e6cb18
80.153.49.82
8085dae410e54bc0e9f962edc92fa8245a8a65d27b0d06292739458ce59c6ba1
8b21e36aa81ace60c797ac8299c8a80f366cb0f3c703465a2b9a6dbf3e65861e
8b2c44c4b4dc3d7cf1b71bd6fcc37898dcd9573fcf3cb8159add6cb9cfc9651b
90e74b5d762fa00fff851d2f3fad8dc3266bfca81d307eeb749cce66a7dcf3e1
9c6a23e6662659b3dee96234e51f711dd493aaba93ce132111c56164ad02cf5e
9e71d0fdb9874049f310a6ab118ba2559fc1c491ed93c3fd6f250c780e61b6ff
cec26d8629c5f223a120677a5c7fbd8d477f9a1b963f19d3f1195a7f94bc194b
d1e4d51024b0e25cfac56b1268e1de2f98f86225bbad913345806ff089508080
d843f31a1fb62ee49939940bf5a998472a9f92b23336affa7bccfa836fe299f5
dcea917093643bc536191ff70013cb27a0519c07952fbf626b4cc5f3feee2212
dd8c3824c8ffdbf1e16da8cee43da01d43f91ee3cc90a38f50a6cc8d6a778b57
dfc420190ef535cbabf63436e905954d6d3a9ddb65e57665ae8e99fa3e767316
efa2a0bbb69e60337b783db326b62c820b81325d39fb4761c9b575668411e12c
f21290968b51b11516e7a86e301148e3b4af7bc2a8b3afe36bc5021086d1fab2
f365a042fbf57ed2fe3fd75b588c46ae358c14441905df1446e67d348bd902bf
f618245e69695f6e985168f5e307fd6dc7e848832bf01c529818cbcfa4089e4a
fa45603334dae86cc72e356df9aa5e21151bb09ffabf86b8dbf5bf42bd2bbadf
fc19a42c423aefb5fdb19b50db52f84e1cbd20af6530e7c7b39435c4c7248cc7
ff4581d0c73bd526efdd6384bc1fb44b856120bc6bbf0098a1fa0de3efff900d
ff58189452668d8c2829a0e9ba8a98a34482c4f2c5c363dc0671700ba58b7bee
http://103.224.82.154
http://180.67.205.101
http://182.70.113.138
http://193.189.144.145
http://199.26.11.17
http://209.105.242.64
http://211.233.13.11
http://211.233.13.62
http://211.236.42.52
http://211.49.171.243
http://218.103.37.22
http://221.138.17.152
http://221.161.82.208
http://23.115.75.188
http://61.100.180.9
http://61.78.63.95
http://80.153.49.82
http://daedong.or.kr
http://kcnp.or.kr
http://kosic.or.kr
http://wstore.lt
http://xkclub.hk
032ccd6ae0a6e49ac93b7bd10c7d249f853fff3f5771a1fe3797f733f09db5a0
040d20357cbb9e950a3dd0b0e5c3260b96b7d3a9dfe15ad3331c98835caa8c63
09fc4219169ce7aac5e408c7f5c7bfde10df6e48868d7b470dc7ce41ee360723
0c5cdbf6f043780dc5fff4b7a977a1874457cc125b4d1da70808bfa720022477
103.224.82.154
1322b5642e19586383e663613188b0cead91f30a0ab1004bf06f10d8b15daf65
1491896d42eb975400958b2c575522d2d73ffa3eb8bdd3eb5af1c666a66aeb08
180.67.205.101
182.70.113.138
18579d1cc9810ca0b5230e8671a16f9e65b9c9cdd268db6c3535940c30b12f9e
193.189.144.145
199.26.11.17
19b23f169606bd390581afe1b27c2c8659d736cbfa4c3e58ed83a287049522f6
1efffd64f2215e2b574b9f8892bbb3ab6e0f98cf0684e479f1a67f0f521ec0fe
209.105.242.64
211.233.13.11
211.233.13.62
211.236.42.52
211.49.171.243
218.103.37.22
221.138.17.152
221.161.82.208
23.115.75.188
31e8a920822ee2a273eb91ec59f5e93ac024d3d7ee794fa6e0e68137734e0443
440dd79e8e5906f0a73b80bf0dc58f186cb289b4edb9e5bc4922d4e197bce10c
446ce29f6df3ac2692773e0a9b2a973d0013e059543c858554ac8200ba1d09cf
49ecead98ebc750cf0e1c48fccf5c4b07fadef653be034cdcdcd7ba654f713af
520778a12e34808bd5cf7b3bdf7ce491781654b240d315a3a4d7eff50341fb18
557c63737bf6752eba32bd688eb046c174e53140950e0d91ea609e7f42c80062
5c10b34e99b0f0681f79eaba39e3fe60e1a03ec43faf14b28850be80830722cb
600ddacdf16559135f6e581d41b30d0867aae313fbaf66eb4d18345b2136cdd7
61.100.180.9
61.78.63.95
644c01322628adf8574d69afe25c4eb2cdc0bfa400e689645c2ab80becbacc33
6a34f4ce012e52f5f94c1a163111df8b1c5b96c8dc0836ba600c2da84059c6ad
6ccb8a10e253cddd8d4c4b85d19bbb288b56b8174a3f1f2fe1f9151732e1a7da
77a32726af6205d27999b9a564dd7b020dc0a8f697a81a8f597b971140e28976
79fe6576d0a26bd41f1f3a3a7bfeff6b5b7c867d624b004b21fadfdd49e6cb18
80.153.49.82
8085dae410e54bc0e9f962edc92fa8245a8a65d27b0d06292739458ce59c6ba1
8b21e36aa81ace60c797ac8299c8a80f366cb0f3c703465a2b9a6dbf3e65861e
8b2c44c4b4dc3d7cf1b71bd6fcc37898dcd9573fcf3cb8159add6cb9cfc9651b
90e74b5d762fa00fff851d2f3fad8dc3266bfca81d307eeb749cce66a7dcf3e1
9c6a23e6662659b3dee96234e51f711dd493aaba93ce132111c56164ad02cf5e
9e71d0fdb9874049f310a6ab118ba2559fc1c491ed93c3fd6f250c780e61b6ff
cec26d8629c5f223a120677a5c7fbd8d477f9a1b963f19d3f1195a7f94bc194b
d1e4d51024b0e25cfac56b1268e1de2f98f86225bbad913345806ff089508080
d843f31a1fb62ee49939940bf5a998472a9f92b23336affa7bccfa836fe299f5
dcea917093643bc536191ff70013cb27a0519c07952fbf626b4cc5f3feee2212
dd8c3824c8ffdbf1e16da8cee43da01d43f91ee3cc90a38f50a6cc8d6a778b57
dfc420190ef535cbabf63436e905954d6d3a9ddb65e57665ae8e99fa3e767316
efa2a0bbb69e60337b783db326b62c820b81325d39fb4761c9b575668411e12c
f21290968b51b11516e7a86e301148e3b4af7bc2a8b3afe36bc5021086d1fab2
f365a042fbf57ed2fe3fd75b588c46ae358c14441905df1446e67d348bd902bf
f618245e69695f6e985168f5e307fd6dc7e848832bf01c529818cbcfa4089e4a
fa45603334dae86cc72e356df9aa5e21151bb09ffabf86b8dbf5bf42bd2bbadf
fc19a42c423aefb5fdb19b50db52f84e1cbd20af6530e7c7b39435c4c7248cc7
ff4581d0c73bd526efdd6384bc1fb44b856120bc6bbf0098a1fa0de3efff900d
ff58189452668d8c2829a0e9ba8a98a34482c4f2c5c363dc0671700ba58b7bee
http://103.224.82.154
http://180.67.205.101
http://182.70.113.138
http://193.189.144.145
http://199.26.11.17
http://209.105.242.64
http://211.233.13.11
http://211.233.13.62
http://211.236.42.52
http://211.49.171.243
http://218.103.37.22
http://221.138.17.152
http://221.161.82.208
http://23.115.75.188
http://61.100.180.9
http://61.78.63.95
http://80.153.49.82
http://daedong.or.kr
http://kcnp.or.kr
http://kosic.or.kr
http://wstore.lt
http://xkclub.hk