A Look into the Lazarus Group's Operations in October 2019
2019-11-12 • Strangereal Intel •
Strangereal Intel reviewed October 2019 Lazarus activity involving multiple document-based intrusions. One HWP lure targeted South Korean CES 2020 exhibitors through CVE-2017-8291/EPS execution, collected host, disk, process, and file information, and contacted C2 hosted on apparently compromised cloud or WordPress infrastructure. The report also describes a HAL-themed maldoc against India’s aeronautics sector that used VBA macros, Macro_pack-style code, and a backdoor able to enumerate systems, capture keystrokes and screenshots, exfiltrate files, and receive commands. A later cross-platform maldoc used Mac and Windows payload logic and a C2 loop supporting download, execute, command-shell, sleep, and session-control functions, showing Lazarus interest in aerospace and high-technology targets.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | curiofirenze.com | 2019-11-05 | 2021-02-25 |
| HASH | 735365ef9aa6cca946cfef9a4b85f68… | 2019-11-12 | 2020-07-27 |
| HASH | 26a2fa7b45a455c311fd57875d8231c… | 2019-11-05 | 2020-05-15 |
| HASH | dfa984f8d6bfc4ae3920954ec8b768e… | 2019-11-12 | 2020-03-09 |
| HASH | ccafbcff1596e3dfd28dcb97a5ba85e… | 2019-11-12 | 2020-03-09 |
| HASH | bfb39f486372a509f307cde3361795a… | 2019-11-04 | 2020-03-09 |
| HASH | 3cc9d9a12f3b884582e5c4daf7d83c4… | 2019-11-04 | 2020-03-09 |
| URL | https://towingoperations.com/ch… | 2019-03-26 | 2020-01-01 |
| URL | https://www.tangowithcolette.co… | 2019-03-26 | 2020-01-01 |
| URL | https://baseballcharlemagnelega… | 2019-03-26 | 2020-01-01 |
| DOMAIN | towingoperations.com | 2019-03-26 | 2020-01-01 |
| DOMAIN | baseballcharlemagnelegardeur.com | 2019-03-26 | 2020-01-01 |
| HASH | b578ccf307d55d3267f98349e20ecff1 | 2019-11-12 | 2019-12-17 |
| URL | https://indagator.club/board.php | 2019-11-12 | 2019-11-20 |
| URL | https://craypot.live/board.php | 2019-11-04 | 2019-11-20 |
| URL | https://crabbedly.club/board.php | 2019-11-04 | 2019-11-20 |
| DOMAIN | indagator.club | 2019-11-04 | 2019-11-20 |
| DOMAIN | craypot.live | 2019-11-04 | 2019-11-20 |
| DOMAIN | crabbedly.club | 2019-11-04 | 2019-11-20 |
| HASH | a7ff0dfc2456baa80e6291619e0ca48… | 2019-11-12 | 2019-11-12 |
| HASH | 4503a194e5064595e36ef01ed87c242… | 2019-11-12 | 2019-11-12 |
| HASH | 8765888a825223f427756dce79956720 | 2019-11-12 | 2019-11-12 |
| HASH | f9ffb15a6bf559773b0df7d8a89d944… | 2019-11-12 | 2019-11-12 |
| HASH | 51ac3966b48c91947de4ce51a90aee9… | 2019-11-12 | 2019-11-12 |
| HASH | ee9cd8decf752a47eefe24369a80697… | 2019-11-12 | 2019-11-12 |
| HASH | d4f055d170fd783ae4f010df64cfd18… | 2019-11-12 | 2019-11-12 |
| HASH | 360431100aa6da78b577cc8b4606fa6… | 2019-11-12 | 2019-11-12 |
| HASH | d0b970e8052a4e3a353e99f8f2f4f64… | 2019-11-12 | 2019-11-12 |
| HASH | 4701cc722f03253fb332747f951fff4… | 2019-11-12 | 2019-11-12 |
| HASH | 761bcff9401bed2ace80b85c43b2302… | 2019-11-12 | 2019-11-12 |
| HASH | 4f71c62df0163d301cbc96e70771ebe… | 2019-11-12 | 2019-11-12 |
| HASH | 1ba8cba6337da612d1db2cdfe1b44f6… | 2019-11-12 | 2019-11-12 |
| DOMAIN | valentinsblog.de | 2019-11-12 | 2019-11-12 |
| DOMAIN | necaled.com | 2019-11-12 | 2019-11-12 |
| DOMAIN | juliesoskin.com | 2019-11-12 | 2019-11-12 |
| IPv4 | 64.151.229.52 | 2019-11-12 | 2019-11-12 |
| IPv4 | 37.72.175.226 | 2019-11-12 | 2019-11-12 |
| IPv4 | 185.136.207.217 | 2019-11-12 | 2019-11-12 |
| IPv4 | 185.236.203.211 | 2019-11-12 | 2019-11-12 |
| IPv4 | 83.169.17.240 | 2019-11-12 | 2019-11-12 |
| IPv4 | 23.227.199.96 | 2019-11-12 | 2019-11-12 |
| HASH | 1a172d92638e6fdb2858dcca7a78d4b… | 2019-11-05 | 2019-11-12 |
| IPv4 | 193.70.64.163 | 2019-11-05 | 2019-11-12 |
| HASH | c5c1ca4382f397481174914b1931e85… | 2019-11-04 | 2019-11-12 |
| HASH | 6850189bbf5191a76761ab20f7c630ef | 2019-11-04 | 2019-11-12 |
| HASH | a0664ac662802905329ec6ab3b3ae84… | 2019-11-04 | 2019-11-12 |
| HASH | 93a01fbbdd63943c151679d037d32b1… | 2019-11-04 | 2019-11-12 |