APT-C-26(Lazarus)组织使用EarlyRat的攻击活动分析
2023-09-12 • Qihoo360 • Analysis of attack activities of APT-C-26 (Lazarus) organization using EarlyRat •
360 Advanced Threat Research linked APT-C-26/Lazarus and its Andariel subgroup to EarlyRat activity delivered through Skype links to malicious compressed files and macro-enabled lure documents. The macro dropped an EarlyRat binary into the Windows startup folder as WHealthScanner.exe, giving the operator persistence and the ability to collect host information and run commands. The analysis describes EarlyRat string decryption, host-ID generation, encrypted system profiling, and command execution, including systeminfo, netstat, ipconfig, and tasklist collection. The report correlates a C2 address, 40.121.90.194/help.php, with Cisco and Kaspersky reporting on Lazarus operations against energy suppliers and Log4j-based deployment in early 2022.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | e439f850aa8ead560c99a8d93e472225 | 2023-09-12 | 2024-07-25 |
| IPv4 | 74.124.228.148 | 2023-09-12 | 2024-06-13 |
| HASH | 8031958a3156187fa53490fb98c39afd | 2023-09-12 | 2023-09-12 |
| HASH | 344a7f277f3d7dd2dc0e86f69c3ca49d | 2023-09-12 | 2023-09-12 |
| HASH | 74f1b7a57cd76279ec16b311089995a6 | 2023-09-12 | 2023-09-12 |
| HASH | d642c62147fbdee00412c0604a25a58b | 2023-09-12 | 2023-09-12 |
| HASH | 78e7b9ab205ea31f7eef26de6293f103 | 2023-09-12 | 2023-09-12 |
| HASH | 39598b710e44a5d27684dfa463ce5148 | 2023-02-10 | 2023-09-12 |
| IPv4 | 40.121.90.194 | 2022-09-08 | 2023-09-12 |