攻撃グループLazarusがネットワーク侵入後に使用するマルウェア
2020-08-31 • JPCERT • Malware Used by the Lazarus Attack Group After Network Intrusion •
JPCERT/CC reports Lazarus activity against organizations in Japan where different malware was used during initial network intrusion and after compromise. The post-intrusion malware downloaded and executed modules, used service-based persistence from Windows system paths, was obfuscated with VMProtect, communicated with command-and-control infrastructure using AES key exchange, and loaded UPX-packed modules to receive attacker commands.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | https://sac.onecenter.com.br/sa… | 2020-08-31 | 2020-08-31 |
| URL | https://gestao.simtelecomrs.com… | 2020-08-31 | 2020-08-31 |
| URL | https://mk.bital.com.br/sac/For… | 2020-08-31 | 2020-08-31 |
| DOMAIN | mk.bital.com.br | 2020-08-31 | 2020-08-31 |
| DOMAIN | sac.onecenter.com.br | 2020-08-31 | 2020-08-31 |
| DOMAIN | gestao.simtelecomrs.com.br | 2020-08-31 | 2020-08-31 |
Related Actors
Related Reports
Shares tag: Lazarus • Same author: JPCERT • Published within a month
Shares tag: Lazarus • Published within a month
Shares tag: Lazarus • Published within a month
2020-09-16 •
80% Match
#Lazarus
Shares tag: Lazarus • Published within a month
Shares tag: Lazarus • Published within a month
Shares tag: Lazarus • Published within a month