BYOVD 기법으로 백신 프로그램을 무력화하는 라자루스 공격 그룹의 악성코드 감염 사례
2022-10-24 • Ahnlab • Case of malware infection by the Lazarus attack group that neutralizes anti-virus programs using BYOVD technique •
AhnLab describes a Lazarus intrusion case in which the actor used a Bring Your Own Vulnerable Driver technique to disable security products before deploying malware. The activity is connected to earlier Lazarus malware abusing INITECH-related processes, but adds an anti-security stage that loads a vulnerable driver to interfere with endpoint protection. After weakening defenses, the attackers can execute additional payloads and maintain control over the compromised system. The report highlights driver-abuse monitoring, vulnerable-driver blocking, and endpoint hardening as important defenses against Lazarus operations.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 114.207.112.19 | 2022-10-24 | 2023-10-27 |
| HASH | b457e8e9d92a1b31a4e2197037711783 | 2022-10-24 | 2023-10-13 |
| HASH | fa868a38ceeb46ee9cf8bd441a67ae27 | 2022-10-24 | 2023-10-13 |
| HASH | 8543667917a318001d0e331aeae3fb9b | 2022-10-24 | 2023-10-13 |
| HASH | c16a6178a4910c6f3263a01929f306b9 | 2022-10-24 | 2023-10-13 |
| HASH | 1f1a3fe0a31bd0b17bc63967de0ccc29 | 2022-10-24 | 2023-10-13 |
| HASH | 43f218d3a4b2199468b00a0b43f51c79 | 2022-10-24 | 2023-10-13 |
| HASH | 202a7eec39951e1c0b1c9d0a2e24a4c4 | 2022-10-24 | 2023-10-13 |
| IPv4 | 1.0.0.17 | 2022-10-24 | 2023-10-04 |
| HASH | 4d91cd34a9aae8f2d88e0f77e812cef7 | 2022-10-24 | 2023-05-23 |
| IPv4 | 119.207.79.175 | 2022-10-24 | 2023-02-27 |
| HASH | ca9b6b3bce52d7f14babdba82345f5b1 | 2022-10-24 | 2023-02-15 |
| HASH | 97bc894205d696023395cbd844fa4e37 | 2022-10-24 | 2023-02-15 |
| HASH | 8da35c64ffbfe33a3435a3e8dc1a5a42 | 2022-10-24 | 2022-10-24 |
| HASH | 1edbd7aa68b1818a1ea98c0362ce84c7 | 2022-10-24 | 2022-10-24 |
| HASH | 8f39a7afa14541b709fe950d06186944 | 2022-10-24 | 2022-10-24 |
| HASH | ca6c08b58a35d7fa581dfb419ce5b881 | 2022-10-24 | 2022-10-24 |
| URL | https://strivemktsupporters.com | 2022-10-24 | 2022-10-24 |
| DOMAIN | strivemktsupporters.com | 2022-10-24 | 2022-10-24 |
| IPv4 | 20.194.29.89 | 2022-10-24 | 2022-10-24 |
| IPv4 | 211.110.1.17 | 2022-10-24 | 2022-10-24 |
| IPv4 | 3.39.208.187 | 2022-10-24 | 2022-10-24 |
| IPv4 | 211.110.1.93 | 2022-10-24 | 2022-10-24 |
| IPv4 | 14.63.165.32 | 2022-10-24 | 2022-10-24 |
| IPv4 | 1.249.169.5 | 2022-10-24 | 2022-10-24 |
| IPv4 | 222.118.225.33 | 2022-10-24 | 2022-10-24 |
| IPv4 | 182.252.138.31 | 2022-10-24 | 2022-10-24 |
| IPv4 | 61.100.5.186 | 2022-10-24 | 2022-10-24 |
| HASH | 98e58a39ede26af7980ed4de2873caab | 2022-09-22 | 2022-10-24 |
| HASH | 013b4c4e9387d8fe1eab738c42c451da | 2022-09-22 | 2022-10-24 |
| IPv4 | 110.10.189.167 | 2022-03-31 | 2022-10-24 |