A DETAILED ANALYSIS OF LAZARUS APT MALWARE DISGUISED AS NOTEPAD++ SHELL EXTENSION
2022-01-31 • Cybergeeks •
https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/
The malware extracts the hostname, username, network information, a list of processes, and other information that will be exfiltrated to one out of the four C2 servers. The data targeted for exfiltration is compressed, XOR-encrypted and then Base64-encoded before being transmitted to the C2 server. Lazarus has targeted its victims using job opportunities documents for companies such as LockHeed Martin, BAE Systems, and Boeing. The Trojan implements four actions that include downloading and executing a .exe or .dll file, loading a PE (Portable Executable) into the process memory, and executing shellcode.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | f3e2e6f9e7aa065e89040a0c16d1f94… | 2022-01-31 | 2022-01-31 |
| HASH | 803dda6c8dc426f1005acdf765d9ef8… | 2022-01-31 | 2022-01-31 |
| URL | https://mante.li/images/draw.php | 2022-01-31 | 2022-01-31 |
| URL | https://bmanal.com/images/draw.… | 2022-01-31 | 2022-01-31 |
| URL | https://shopandtravelusa.com/ve… | 2022-01-31 | 2022-01-31 |
| URL | https://zhuanlan.zhihu.com/p/45… | 2022-01-31 | 2022-01-31 |
| URL | https://industryinfostructure.c… | 2022-01-31 | 2022-01-31 |
| DOMAIN | zhuanlan.zhihu.com | 2022-01-31 | 2022-01-31 |
| DOMAIN | industryinfostructure.com | 2022-01-31 | 2022-01-31 |
| DOMAIN | bmanal.com | 2022-01-31 | 2022-01-31 |
| DOMAIN | shopandtravelusa.com | 2022-01-31 | 2022-01-31 |
| DOMAIN | mante.li | 2022-01-31 | 2022-01-31 |