ClickFix 방식으로 배포되는 라자루스(Lazarus)의 악성코드 분석 보고서_2편
2025-02-12 • Nurilab • Analysis of Lazarus Malware Distributed via the ClickFix Technique, Part 2 •
The second Nurilab analysis continues the Lazarus ClickFix malware chain and focuses on the final C# binary, Tvooly.exe, produced after seven stages of de-obfuscation, decryption, and C2 communication. Tvooly.exe uses obfuscation, AES-based resource decryption, dynamic intermediate-language generation, and base64-encoded C2 responses that are decoded and decrypted before use. The report also notes communication with multiple C2 domains and IPs, including node02-prefixed infrastructure, and describes polymorphic dropped executables in the Temp directory.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | a104-75-33-105.deploy.static.ak… | 2025-02-12 | 2025-02-12 |
| DOMAIN | maui.com | 2025-02-12 | 2025-02-12 |
| DOMAIN | node02-windows-grupodw.asplhost… | 2025-02-12 | 2025-02-12 |
| IPv4 | 104.21.36.55 | 2025-02-12 | 2025-02-12 |
| IPv4 | 172.67.185.240 | 2025-02-12 | 2025-02-12 |
Related Actors
Related Reports
Shares tags: Lazarus, ClickFix • Same author: Nurilab • Published within a week
2025-02-07 •
80% Match
#ContagiousInterview
#Lazarus
#ClickFix
#T1082
#T1041
#T1555
#T1056.001
#T1027
#T1204.002
#T1555.003
#T1027.002
#T1564.001
#T1016
#T1033
#T1546.008
Shares tags: Lazarus, ClickFix • Published within a week
Shares tags: Lazarus, ClickFix • Published within a month
Shares tags: Lazarus, ClickFix
Shares tag: Lazarus • Same author: Nurilab • Published within a month
Shares tag: Lazarus • Same author: Nurilab • Published within a month