Cryptocurrency businesses still being targeted by Lazarus

2019-03-26 Kaspersky

https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/

Kaspersky reported a Lazarus operation active since at least November 2018 targeting cryptocurrency businesses, especially South Korean exchanges. Attackers used weaponized Korean and Chinese business documents, PowerShell backdoors for Windows, malicious HWP delivery, and expanding macOS malware for Apple users. The malware communicated with C2 scripts disguised as WordPress or open-source project files, while infrastructure separated rented malware hosts from compromised C2 servers. Payloads included 32-bit and 64-bit Windows variants with CheckSelf and battle naming, reinforcing Lazarus's continued financial targeting.

Indicators of Compromise

Type Value First Seen Last Seen
URL https://towingoperations.com/ch… 2019-03-26 2020-01-01
URL https://www.tangowithcolette.co… 2019-03-26 2020-01-01
URL https://baseballcharlemagnelega… 2019-03-26 2020-01-01
DOMAIN nzssdm.com 2019-03-26 2020-01-01
DOMAIN towingoperations.com 2019-03-26 2020-01-01
DOMAIN baseballcharlemagnelegardeur.com 2019-03-26 2020-01-01
HASH 0316f6067bc02c23c1975d83c659da21 2018-10-24 2019-11-18
HASH f392492ef5ea1b399b4c0af38810b0d6 2018-09-13 2019-11-18
HASH 72fe869aa394ef0a62bb8324857770dd 2019-03-26 2019-03-26
HASH a18bc8bc82bca8245838274907e64631 2019-03-26 2019-03-26
HASH 668d5b5761755c9d061da74cb21a8b75 2019-03-26 2019-03-26
HASH 5182e7a2037717f2f9bbf6ba298c48fb 2019-03-26 2019-03-26
HASH 86d3c1b354ce696e454c42d8dc6df1b7 2019-03-26 2019-03-26
HASH 4cbd45fe6d65f513447beb4509a9ae3d 2019-03-26 2019-03-26
HASH 171b9135540f89bf727b690b9e587a4e 2019-03-26 2019-03-26
HASH e9a6a945803722be1556fd120ee81199 2019-03-26 2019-03-26
HASH cb713385655e9af0a2fc10da5c0256f5 2019-03-26 2019-03-26
HASH 29a37c6d9fae5664946c6607f351a8dc 2019-03-26 2019-03-26
HASH e6d5363091e63e35490ad2d76b72e851 2019-03-26 2019-03-26
HASH ad3f966d48f18b5e7b23a579a926c7e8 2019-03-26 2019-03-26
HASH 35e38d023b253c0cd9bd3e16afc362a7 2019-03-26 2019-03-26
HASH 4345798b2a09fc782901e176bd0c69b6 2019-03-26 2019-03-26
HASH da4981df65cc8b5263594bb71a0720a1 2019-03-26 2019-03-26
HASH 6a0f3abd05bc75edbfb862739865a4cc 2019-03-26 2019-03-26
URL http://nzssdm.com/assets/wwtm.d… 2019-03-26 2019-03-26
URL http://hrgp.asselsolutions.com/… 2019-03-26 2019-03-26
URL http://dev.microcravate.com/wp-… 2019-03-26 2019-03-26
URL https://bogorcenter.com/wp-cont… 2019-03-26 2019-03-26
URL http://nzssdm.com/assets/mt.dat 2019-03-26 2019-03-26
URL http://bluecreekrobotics.com/wp… 2019-03-26 2019-03-26
URL https://eventum.cwsdev3.bi.com/… 2019-03-26 2019-03-26
URL https://streamf.ru/wp-content/i… 2019-03-26 2019-03-26
URL http://enterpriseheroes.com.ng/… 2019-03-26 2019-03-26
URL http://dev.whatsyourcrunch.com/… 2019-03-26 2019-03-26
URL https://vinhsake.com//wp-conten… 2019-03-26 2019-03-26
DOMAIN bogorcenter.com 2019-03-26 2019-03-26
DOMAIN dev.whatsyourcrunch.com 2019-03-26 2019-03-26
DOMAIN bluecreekrobotics.com 2019-03-26 2019-03-26
DOMAIN enterpriseheroes.com.ng 2019-03-26 2019-03-26
DOMAIN streamf.ru 2019-03-26 2019-03-26
DOMAIN vinhsake.com 2019-03-26 2019-03-26
DOMAIN eventum.cwsdev3.bi.com 2019-03-26 2019-03-26
DOMAIN dev.microcravate.com 2019-03-26 2019-03-26
DOMAIN hrgp.asselsolutions.com 2019-03-26 2019-03-26
IPv4 115.28.160.20 2019-03-26 2019-03-26

Related Actors

Related Reports

« Back