The Evolution of Lazarus
Contents
On February 14, 2020 the U.S. Department of Homeland Security (DHS) released a Malware Analysis Report (MAR-10271944-1.v1) which provided information about a trojan they referred to as HotCroissant. DHS attributed the trojan to a threat group based in North Korea, often referred to as Hidden Cobra. This group, also known as the Lazarus Group, continues to be very active. Over the previous year they’ve targeted organizations in South Korea, Russia, and the United States with motives that range from espionage and sabotage to attacks purely for financial gain. At first glance HotCroissant might appear as a new tool in the Lazarus Group’s tool box but as we’ll see it holds many similarities to an earlier trojan they’ve used before.
HotCroissant
Overview
The HotCroissant trojan is a fairly straightforward remote access trojan (RAT). On startup, it decodes the address of its C2 server and then attempts to connect to it. If it is successful …
HotCroissant
Overview
The HotCroissant trojan is a fairly straightforward remote access trojan (RAT). On startup, it decodes the address of its C2 server and then attempts to connect to it. If it is successful …
IoC
0a0c09f81a3fac2af99fab077e8c81a6674adc190a1077b04e2956f1968aeff3
0ea57d676fe7bb7f75387becffffbd7e6037151e581389d5b864270b296bb765
111.68.7.74
165.194.123.67
172.93.110.85
176.31.15.195
192.99.223.115
315c06bd8c75f99722fd014b4fb4bd8934049cde09afead9b46bddf4cdd63171
51.254.60.208
57d1df9f6c079e67e883a25cfbb124d33812b5fcdb6288977c4b8ebc1c3350de
7ec13c5258e4b3455f2e8af1c55ac74de6195b837235b58bc32f95dd6f25370c
8ee7da59f68c691c9eca1ac70ff03155ed07808c7a66dee49886b51a59e00085
94.177.123.138
a9915977c810fb2d61be8ff9d177de4d10bd3b24bdcbb3bb8ab73bcfdc501995
b689815a0c97414e0bba0f6cf72029691c8254041e105ed69f6f921d49e88a4d
c9455e218220e81670ddd3c534011a68863ca9e09ab8215cc72da543ca910b81
rule lazarus_hotcroissant_2020_Q1 : TAU APT Lazarus
{
meta:
author = “CarbonBlack Threat Research” // sknight
date = “2020-Mar-25”
Validity = 10
severity = 10
Jira = “TR-4456”
TID = “T1140, T1082, T1033, T1005, T1113, T1094, T1024, T1132, T1065”
description = “Lazarus HotCroissant backdoor”
link = “https://www.us-cert.gov/ncas/analysis-reports/ar20-045d”
rule_version = 1
yara_version = “3.11.0”
Confidence = “Prod”
Priority = “Medium”
TLP = “White”
exemplar_hashes = “8ee7da59f68c691c9eca1ac70ff03155ed07808c7a66dee49886b51a59e00085, 7ec13c5258e4b3455f2e8af1c55ac74de6195b837235b58bc32f95dd6f25370c”
strings:
// Crypto keys
$b1 = { 8b d6 b8 00 [1-6] 17 [1-6] 29 70 49 02 }
// Crypto algorithm
$b2 = { 8A 1C 3E 32 DA 32 D8 32 D9 88 1C 3E 8A D8 32 D9 22 DA 8B 55 FC 8D 3C D5 00 00 00 00 33 FA 81 E7 F8 07 00 00 C1 E7 14 C1 EA 08 0B D7 8D 3C 00 33 F8 22 C8 C1 E7 04 33 F8 32 CB 8B D8 83 E7 80 C1 E3 07 33 FB C1 E7 11 C1 E8 08 }
condition:
uint16(0) == 0x5A4D and
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 200KB and
any of ($b*)
}
0ea57d676fe7bb7f75387becffffbd7e6037151e581389d5b864270b296bb765
111.68.7.74
165.194.123.67
172.93.110.85
176.31.15.195
192.99.223.115
315c06bd8c75f99722fd014b4fb4bd8934049cde09afead9b46bddf4cdd63171
51.254.60.208
57d1df9f6c079e67e883a25cfbb124d33812b5fcdb6288977c4b8ebc1c3350de
7ec13c5258e4b3455f2e8af1c55ac74de6195b837235b58bc32f95dd6f25370c
8ee7da59f68c691c9eca1ac70ff03155ed07808c7a66dee49886b51a59e00085
94.177.123.138
a9915977c810fb2d61be8ff9d177de4d10bd3b24bdcbb3bb8ab73bcfdc501995
b689815a0c97414e0bba0f6cf72029691c8254041e105ed69f6f921d49e88a4d
c9455e218220e81670ddd3c534011a68863ca9e09ab8215cc72da543ca910b81
rule lazarus_hotcroissant_2020_Q1 : TAU APT Lazarus
{
meta:
author = “CarbonBlack Threat Research” // sknight
date = “2020-Mar-25”
Validity = 10
severity = 10
Jira = “TR-4456”
TID = “T1140, T1082, T1033, T1005, T1113, T1094, T1024, T1132, T1065”
description = “Lazarus HotCroissant backdoor”
link = “https://www.us-cert.gov/ncas/analysis-reports/ar20-045d”
rule_version = 1
yara_version = “3.11.0”
Confidence = “Prod”
Priority = “Medium”
TLP = “White”
exemplar_hashes = “8ee7da59f68c691c9eca1ac70ff03155ed07808c7a66dee49886b51a59e00085, 7ec13c5258e4b3455f2e8af1c55ac74de6195b837235b58bc32f95dd6f25370c”
strings:
// Crypto keys
$b1 = { 8b d6 b8 00 [1-6] 17 [1-6] 29 70 49 02 }
// Crypto algorithm
$b2 = { 8A 1C 3E 32 DA 32 D8 32 D9 88 1C 3E 8A D8 32 D9 22 DA 8B 55 FC 8D 3C D5 00 00 00 00 33 FA 81 E7 F8 07 00 00 C1 E7 14 C1 EA 08 0B D7 8D 3C 00 33 F8 22 C8 C1 E7 04 33 F8 32 CB 8B D8 83 E7 80 C1 E3 07 33 FB C1 E7 11 C1 E8 08 }
condition:
uint16(0) == 0x5A4D and
uint32(uint32(0x3C)) == 0x00004550 and
filesize < 200KB and
any of ($b*)
}