라자루스 그룹의 BYOVD를 활용한 루트킷 악성코드 분석 보고서

2022-09-22 Ahnlab Rootkit malware analysis report using Lazarus Group's BYOVD

https://asec.ahnlab.com/wp-content/uploads/2022/09/%EB%9D%BC%EC%9E%90%EB%A3%A8%EC%8A%A4-%EA%B3%B5%EA%B2%A9-%EA%B7%B8%EB%A3%B9%EC%9D%98-BYOVD%EB%A5%BC-%ED%99%9C%EC%9A%A9%ED%95%9C-%EB%A3%A8%ED%8A%B8%ED%82%B7-%EC%95%85%EC%84%B1%EC%BD%94%EB%93%9C-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C_20220922.pdf

Attachments

EB9DBCEC9E90EBA3A8EC8AA4-EAB3B5EAB2A9-EAB7B8EBA3B9EC9D98-BYOVDEBA5_RGTTvPV.pdf (1 MB)

Thumbnail for 라자루스 그룹의 BYOVD를 활용한 루트킷 악성코드 분석 보고서

AhnLab's report analyzes Lazarus rootkit malware that uses a bring-your-own-vulnerable-driver technique to obtain kernel-level capabilities. The PDF frames the case as part of Lazarus activity tracked by ASEC against South Korean defense, satellite, software, media, and other organizations since 2021. The report focuses on the malware's driver-abuse approach, rootkit behavior, and forensic artifacts, showing how Lazarus can use vulnerable legitimate components to interfere with detection and maintain deeper control over compromised Windows systems.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 98e58a39ede26af7980ed4de2873caab 2022-09-22 2022-10-24
HASH 013b4c4e9387d8fe1eab738c42c451da 2022-09-22 2022-10-24
DOMAIN public.cnotools.studio 2022-09-22 2022-09-30
HASH c40643751b426dec01bd390e192b4542 2022-09-22 2022-09-22
HASH a6e309f97ffada2d4d0d4aecfb255a91 2022-09-22 2022-09-22
URL https://public.cnotools.studio/… 2022-09-22 2022-09-22
URL https://www.amazon.com/Windows-… 2022-09-22 2022-09-22
URL https://public.cnotools.studio/… 2022-09-22 2022-09-22

Related Actors

Related Reports

« Back