The Lazarus Injector
Contents
In May and June, two files were submitted to VirusTotal that were signed with the same digital certificate and were connected to the SWIFT-heist wing of the DPRK. One file is re-themed version of the fake resume creating tool used in the Redbanc and Pakistan attacks. The second file is a tool used to inject and run payloads inside of explorer.exe.
This brief post documents the capabilities of this second tool.
MD5: b9ad0cc2a2e0f513ce716cdf037da907
SHA1: 1a50a7ea5ca105df504c33af1c0329d36f03715b
SAH256: db0f102af2d350aa1a63772e6ee9b211d78aa962a34f75c8702e71ccd261243e
Parameter Check
The malware expects at least one parameter: a file path (pointing towards the injected payload) to be passed to it during execution.
The majority of the injector’s workflow takes place within two functions. In the first function, the injector checks for any arguments set during execution (coincidentally, similar to a previous post on this blog). If this number is less than 3, the malware will jump to a “create file check,” to be discussed shortly:
If, however, this number …
This brief post documents the capabilities of this second tool.
MD5: b9ad0cc2a2e0f513ce716cdf037da907
SHA1: 1a50a7ea5ca105df504c33af1c0329d36f03715b
SAH256: db0f102af2d350aa1a63772e6ee9b211d78aa962a34f75c8702e71ccd261243e
Parameter Check
The malware expects at least one parameter: a file path (pointing towards the injected payload) to be passed to it during execution.
The majority of the injector’s workflow takes place within two functions. In the first function, the injector checks for any arguments set during execution (coincidentally, similar to a previous post on this blog). If this number is less than 3, the malware will jump to a “create file check,” to be discussed shortly:
If, however, this number …
IoC
1a50a7ea5ca105df504c33af1c0329d36f03715b
b9ad0cc2a2e0f513ce716cdf037da907
db0f102af2d350aa1a63772e6ee9b211d78aa962a34f75c8702e71ccd261243e
b9ad0cc2a2e0f513ce716cdf037da907
db0f102af2d350aa1a63772e6ee9b211d78aa962a34f75c8702e71ccd261243e