Evidence Leads to Lazarus as the VMConnect Supply Chain Attack Continues

2023-10-24 Hawkeye

https://www.hawk-eye.io/2023/10/evidence-leads-to-lazarus-as-the-vmconnect-supply-chain-attack-continues/

Thumbnail for Evidence Leads to Lazarus as the VMConnect Supply Chain Attack Continues

The VMConnect campaign used malicious PyPI packages that impersonated legitimate Python tools including vConnector, eth-tester, and databases. ReversingLabs found that VMConnect's __init__.py decoded and executed Base64 content, then entered a loop that contacted command-and-control infrastructure for additional encoded commands. The operators created a purpose-built PyPI account and matching GitHub repository to make the package appear legitimate, showing deliberate open-source supply-chain tradecraft. The investigation found code similarities between VMConnect and the malicious py_QRcode package, leading researchers to Lazarus, while the excerpt also lists C2 domains and numerous SHA-1 hashes tied to the campaign.

Indicators of Compromise

Type Value First Seen Last Seen
HASH b1880340818a1feda156abd272255bc… 2023-08-31 2023-10-24
HASH 5e026885bcf4b67993aefa4e992153f… 2023-08-31 2023-10-24
HASH 049cc8d88a086c8fc69b51d76b6c0c4… 2023-08-31 2023-10-24
HASH 321363f11464208ee24e56a700ad5d2… 2023-08-31 2023-10-24
HASH 2c72edf29d5bca22525d612c94f1ee3… 2023-08-31 2023-10-24
HASH 859f5b0af717fca9f890dcba0b87ac6… 2023-08-31 2023-10-24
HASH bbb1e2ac1d243b8db922a23821de570… 2023-08-31 2023-10-24
HASH e3545b2c53c2cb8f012f0badc1bf452… 2023-08-31 2023-10-24
HASH 89c05ecd388c5f168704c5a8e1d37f7… 2023-08-31 2023-10-24
HASH e063b210b50ca1426da45afa430d87c… 2023-08-31 2023-10-24
HASH aeeb445216a205abd770546dfa8d03f… 2023-08-31 2023-10-24
HASH 39e9859f0cf85a0c8361e042e8316d4… 2023-08-31 2023-10-24
HASH fdea182ffe7c04c28f28f88ceb96247… 2023-08-31 2023-10-24
HASH 9b8eefa1d7ee348c2b1b4c350028df5… 2023-08-31 2023-10-24
IPv4 45.61.136.133 2023-08-31 2023-10-24
HASH dbc14c3ac0528a8aeb6edba8a0b2792… 2023-08-03 2023-10-24
HASH 9a276ca3678898f5596166416f7e709… 2023-08-03 2023-10-24
HASH 67226da423ab4a2c97b2d008dec4528… 2023-08-03 2023-10-24
HASH 0b7b4444f820e9990dfeb5e2080321b… 2023-08-03 2023-10-24
HASH 0eb79e80c51c0e14be3620dfb237f7b… 2023-08-03 2023-10-24
HASH 0dc723e77a5b97183a90eaecb62c9b7… 2023-08-03 2023-10-24
HASH 2ff1b3aa2dbff6d87447b250a8d1924… 2023-08-03 2023-10-24
HASH e531121b137182453f0d120be860ad8… 2023-08-03 2023-10-24
HASH 9588affaf9d85e2141b9d76b914d9f8… 2023-08-03 2023-10-24
HASH de4e9efeace6ff76dc00a166dca152d… 2023-08-03 2023-10-24
HASH b1f2d50be0aca0672475488d77c6f71… 2023-08-03 2023-10-24
HASH 664f0913a5952eeb77373f83e090fab… 2023-08-03 2023-10-24
HASH bc2d48d6d9eeaf0b29625683942e90d… 2023-08-03 2023-10-24
HASH d404a55f1f7fbcd8b3156a84ebcf97c… 2023-08-03 2023-10-24
HASH 19684554e4905bb3cf354a5d5a0f00d… 2023-08-03 2023-10-24
HASH bd7ba47f730c2bc33afa67a39d9cbe3… 2023-08-03 2023-10-24
HASH 658605988c7afd9adf437fb64ff682c… 2023-08-03 2023-10-24
HASH 6bf76b01bd17f370cd3f9947135bf25… 2023-08-03 2023-10-24
HASH a1b039f88c385f5c5eec2ef1701251c… 2023-08-03 2023-10-24
HASH 5f03b73d56528ecbc3f24b8e7daec6b… 2023-08-03 2023-10-24
HASH 146942c5dbaba55be174b1bfb127410… 2023-08-03 2023-10-24
HASH 497df2fd2dba324be04cc57f50a3170… 2023-08-03 2023-10-24
HASH e6494b9a91862191556d77022e5577d… 2023-08-03 2023-10-24
HASH b0095f149951241c6e11e0d1be1f74e… 2023-08-03 2023-10-24
DOMAIN deliworkshopexpress.xyz 2023-08-03 2023-10-24
IPv4 45.61.139.219 2023-08-03 2023-10-24

Related Reports

« Back