雪虐风饕:疑似Lazarus组织针对韩国企业的攻击活动分析

2022-04-11 Qianxin Snow Abuse: Analysis of attacks by suspected Lazarus organization against Korean companies

https://mp.weixin.qq.com/s/kcIaoB8Yta1zI6Py-uxupA

Thumbnail for 雪虐风饕:疑似Lazarus组织针对韩国企业的攻击活动分析

QiAnXin RedDrip reported a suspected Lazarus spearphishing campaign against Korean enterprises using malicious DOCX and CHM lures rather than consumer-targeted activity. The DOCX samples abused CVE-2017-0199 remote template execution, including lures such as disaster-aid applications and Korean corporate documents, then downloaded 32-bit or 64-bit macro payloads from naveicoipg.online-style infrastructure and injected code into winword.exe. The malware performed sandbox and Korean antivirus checks, dropped RuntimeBroker.exe under the Microsoft TokenBroker path, used a local RPC UAC-bypass technique, added Windows Defender exclusions, and used Dropbox-hosted data as an intermediary for C2 configuration. The report links the activity to Lazarus based on Dropbox use, RuntimeBroker behavior, overlap with prior public reporting, and related IOCs such as naveicoipc.tech and multiple naveicoip* domains.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 7b07cd6bb6b5d4ed6a2892a738fe892b 2022-04-11 2022-08-30
HASH d19dd02cf375d0d03f557556d5207061 2022-04-11 2022-08-30
HASH bdfb5071f5374f5c0a3714464b1fa5e6 2022-04-11 2022-08-30
HASH 1fd8fef169bf48cfdcf506151264128c 2022-04-11 2022-08-30
HASH 556abc167348fe96abfbf5079c3ad488 2022-04-11 2022-08-30
HASH 210db61d1b11c1d233fd8a0645946074 2022-04-11 2022-08-30
HASH 44be20c67a80af8066f9401c5bee43cb 2022-04-11 2022-08-30
HASH 4382384feb5ad6b574f68e431006905e 2022-04-11 2022-08-30
HASH 619649ce3fc1682c702d9159e778f8fd 2022-04-11 2022-06-07
HASH e3ffda448df223b240a20dae41e20cef 2022-04-11 2022-04-26
HASH 9ad00e513364e9f44f1b6712907cba9b 2022-04-11 2022-04-26
HASH c0b24dc8f53227ce0c64439b302ca930 2022-04-11 2022-04-26
HASH 9775ef6514916977d73e39a6b09029bc 2022-04-11 2022-04-26
HASH 825730d9dd22dbae7f2bd89131466415 2022-04-11 2022-04-26
HASH 1769a818548a0b52c7be2a0a213a9384 2022-04-11 2022-04-26
HASH 15a7125fe9e629122e1d1389062af712 2022-04-11 2022-04-26
HASH b587851d8a42fc8c23f638bbc2eb866b 2022-04-11 2022-04-26
HASH 749ccb545b74b8eb9dff57fcb6a07020 2022-04-11 2022-04-11
HASH d47f7fcbe46369c70147a214c8189f8a 2022-04-11 2022-04-11
HASH aad5a9f3be23d327b9122a7f7e102443 2022-04-11 2022-04-11
HASH 65abad905e80f8bc0a48e67c62e40119 2022-04-11 2022-04-11
URL http://jvnquetbon.naveicoipg.on… 2022-04-11 2022-04-11
URL http://CEcOMTp3.naveicoipg.onli… 2022-04-11 2022-04-11
URL http://vnwoei.naveicoipg.online… 2022-04-11 2022-04-11
URL http://bcvbert.naveicoipe.tech/… 2022-04-11 2022-04-11
URL http://AOsM8Cts.naveicoipg.onli… 2022-04-11 2022-04-11
URL http://123fisd.naveicoipg.onlin… 2022-04-11 2022-04-11
URL http://uzzmuqwv.naveicoipc.tech… 2022-04-11 2022-04-11
URL http://olsnvolqwe.naveicoipg.on… 2022-04-11 2022-04-11
URL http://naveicoipc.tech/ACMS/0Mo… 2022-04-11 2022-04-11
URL http://naveicoipg.online/post2.… 2022-04-11 2022-04-11
URL http://naveicoipd.tech/ACMS/018… 2022-04-11 2022-04-11
URL http://twlekqnwl.naveicoipg.onl… 2022-04-11 2022-04-11
URL http://VM2rJOnQ.naveicoipg.onli… 2022-04-11 2022-04-11
URL http://1xJOiKZd.naveicoipa.tech… 2022-04-11 2022-04-11
URL http://xjowihgnxcvb.naveicoipf.… 2022-04-11 2022-04-11
URL http://ADzJvazJ.naveicoipg.onli… 2022-04-11 2022-04-11
DOMAIN jvnquetbon.naveicoipg.online 2022-04-11 2022-04-11
DOMAIN naveicoipd.tech 2022-04-11 2022-04-11
DOMAIN naveicoipg.online 2022-04-11 2022-04-11
DOMAIN xjowihgnxcvb.naveicoipf.online 2022-04-11 2022-04-11
DOMAIN uzzmuqwv.naveicoipc.tech 2022-04-11 2022-04-11
DOMAIN bcvbert.naveicoipe.tech 2022-04-11 2022-04-11
DOMAIN aosm8cts.naveicoipg.online 2022-04-11 2022-04-11
DOMAIN olsnvolqwe.naveicoipg.online 2022-04-11 2022-04-11
DOMAIN twlekqnwl.naveicoipg.online 2022-04-11 2022-04-11
DOMAIN adzjvazj.naveicoipg.online 2022-04-11 2022-04-11
DOMAIN 123fisd.naveicoipg.online 2022-04-11 2022-04-11
DOMAIN vm2rjonq.naveicoipg.online 2022-04-11 2022-04-11
DOMAIN cecomtp3.naveicoipg.online 2022-04-11 2022-04-11
DOMAIN vnwoei.naveicoipg.online 2022-04-11 2022-04-11
DOMAIN naveicoipc.tech 2022-03-31 2022-04-11
DOMAIN 1xjoikzd.naveicoipa.tech 2022-03-24 2022-04-11

Related Reports

« Back