BLOCKBUSTED: Lazarus Blockbuster and North Korea
2017-12-12 • Intezer •
http://www.intezer.com/blockbusted-lazarus-blockbuster-north-korea/
Intezer links Lazarus malware used in the Blockbuster campaign to a broader North Korea-attributed framework through repeated code reuse across samples compiled from 2014 to 2017. The analysis finds overlaps among RATs, Trojans, backdoors, and families such as FALLCHILL, Destover, Hangman, Volgmer, and Manuscrypt, including largely unchanged C&C command-handler functionality across multiple binaries. Observed execution traits include manual import resolution with GetProcAddress, evolving string obfuscation, optional persistence and sandbox or VM checks, and a thread that listens for C&C commands. The report also describes Lazarus use of hijacked domains and servers, malicious documents with fake job-position macros, a China-hosted C&C at 114.215.107.218, and spam-comment links such as lzruziniu[.]com as possible infection lures. The code-level continuity matters because it ties apparently different Lazarus-linked malware components into a reusable operational framework rather than isolated tools.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 80b5cc9feb10fac41ee2958ab0f751b… | 2017-12-12 | 2020-03-09 |
| HASH | a4a2e47161bbf5f6c1d5b1b3fba26a1… | 2017-12-12 | 2020-03-09 |
| HASH | e79bbb45421320be05211a94ed50743… | 2017-12-12 | 2020-03-09 |
| HASH | 4a84452752cf8e493ae820871096044… | 2017-12-12 | 2020-03-09 |
| HASH | dbae68e4cab678f2678da7c48d57986… | 2017-12-12 | 2020-03-09 |
| HASH | 4e8c10a7fa51a3ab089b284e86a7daa… | 2017-12-12 | 2020-03-09 |
| HASH | a606716355035d4a1ea0b15f3bee30a… | 2017-11-20 | 2020-03-09 |
| HASH | 7429a6b6e8518a1ec1d1c37a8786359… | 2017-08-14 | 2020-03-09 |
| HASH | 9f177a6fb4ea5af876ef8a0bf954e37… | 2017-05-22 | 2020-03-09 |
| IPv4 | 41.131.29.59 | 2017-12-12 | 2017-12-19 |
| IPv4 | 64.86.34.24 | 2017-12-12 | 2017-12-19 |
| IPv4 | 176.35.250.93 | 2017-08-14 | 2017-12-19 |
| HASH | 0b4959764331ddbe7da71e6f8515d0b… | 2017-12-12 | 2017-12-12 |
| HASH | 9607ab45451bb6c52eeec8cf0669d1d… | 2017-12-12 | 2017-12-12 |
| HASH | 4481e31d42499d084317b79a3a6250e… | 2017-12-12 | 2017-12-12 |
| HASH | 3d481d166f27b48f103db39fda3845d… | 2017-12-12 | 2017-12-12 |
| HASH | 959eb014a2d8ca8158d1f6a198205d3… | 2017-12-12 | 2017-12-12 |
| HASH | 76e0eec565f4e50b57d74fb1a09ea9e… | 2017-12-12 | 2017-12-12 |
| HASH | 9fa326adbd71e58aeb7ea404b6b8d6b… | 2017-12-12 | 2017-12-12 |
| HASH | ee3ecf100fc2042cfadeb0509ae4f49… | 2017-12-12 | 2017-12-12 |
| HASH | db1f4abd2a8d3b17c14e8f31cb1da3a… | 2017-12-12 | 2017-12-12 |
| HASH | 6dcd635875625426298a1d7b4ab346e… | 2017-12-12 | 2017-12-12 |
| HASH | 2de5e99315a6cf42a46c8286ac4ea0b… | 2017-12-12 | 2017-12-12 |
| HASH | f09fb9a79bab6a927297e5365940270… | 2017-12-12 | 2017-12-12 |
| HASH | 16eaa0298c66e0de40cc42568879fab… | 2017-12-12 | 2017-12-12 |
| HASH | 8ba791b9611d5d6dfd40e08e43ad851… | 2017-12-12 | 2017-12-12 |
| HASH | de13155f4a4cb1af045398835451519… | 2017-12-12 | 2017-12-12 |
| HASH | 8edb59694ff239c90f33cdbb17bc67e… | 2017-12-12 | 2017-12-12 |
| DOMAIN | lzruziniu.com | 2017-12-12 | 2017-12-12 |
| IPv4 | 201.26.209.137 | 2017-12-12 | 2017-12-12 |
| IPv4 | 193.251.27.90 | 2017-12-12 | 2017-12-12 |
| IPv4 | 114.215.107.218 | 2017-12-12 | 2017-12-12 |
| IPv4 | 58.6.21.11 | 2017-12-12 | 2017-12-12 |
| IPv4 | 190.216.219.247 | 2017-12-12 | 2017-12-12 |
| IPv4 | 182.180.143.39 | 2017-12-12 | 2017-12-12 |
| IPv4 | 14.161.14.196 | 2017-12-12 | 2017-12-12 |
| IPv4 | 92.42.54.184 | 2017-12-12 | 2017-12-12 |
| HASH | 1d195c40169cbdb0f50eca40ebda623… | 2017-11-20 | 2017-12-12 |
| IPv4 | 118.140.97.6 | 2017-08-14 | 2017-12-12 |
| IPv4 | 220.132.191.110 | 2016-07-28 | 2017-12-12 |