2018_AREA41_Anatomy_of_attacks_aimed_at_financial_sector_by_the_La_TyHm8KI.pdf (4 MB)

The slide material links Lazarus financial-sector activity to Manuscrypt, noting use since around 2013 and overlaps with known Lazarus code style and command-and-control patterns. Recent attacks used cryptocurrency-themed news, market-expectation lures, finance-related resumes, and decoys naming victim companies, with payload delivery through malicious PostScript and Ghostscript exploitation including CVE-2017-8291. The infection chain includes encrypted PostScript, shellcode, XOR or AES payload decryption, loader execution, process injection, and Manuscrypt or Fallchill backdoor deployment. Infrastructure patterns include compromised IIS servers in China and Korean web servers running attacker PHP or JSP scripts, while the toolset spans active, passive, HTTP, and IIS backdoors, proxy components, traffic forwarders, loaders, and file wipers. The material matters because it ties Lazarus tradecraft against financial targets to document exploitation, multi-stage payload handling, compromised web infrastructure, and remote-access tooling defenders can map into detections.