Greetings from Lazarus

2020-12-15 Hvs-consulting

https://www.hvs-consulting.de/public/ThreatReport-Lazarus.pdf

Attachments

ThreatReport-Lazarus.pdf (1 MB)

Thumbnail for Greetings from Lazarus

HvS-Consulting described multiple 2020 intrusions against European manufacturing and electrical-industry customers that it attributed with high confidence to Lazarus/APT37 based on overlapping TTPs and IOCs. Patient-zero users were approached via LinkedIn in February 2020, and the report frames the incidents as a coordinated espionage campaign rather than isolated compromises. The observed activity included reuse of C2 and exfiltration infrastructure, compromised websites, process commands and tools, with the attacker focused on stealing selected information. The report maps the campaign across the MITRE ATT&CK lifecycle and provides command-and-control domains, filenames, hashes, process execution artifacts and YARA rules for defenders.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN turnscor.com 2020-12-15 2023-09-29
URL https://www.gonnelli.it/uploads… 2020-12-15 2022-09-30
DOMAIN vega.mh-tec.jp 2020-12-15 2021-04-27
DOMAIN bootcamp-coders.cnm.edu 2020-12-15 2021-04-27
URL https://www.astedams.it/photos/… 2020-12-15 2021-02-25
URL https://www.sanlorenzoyacht.com… 2020-09-29 2021-02-25
URL https://www.automercado.co.cr/e… 2020-08-19 2021-02-25
URL https://www.curiofirenze.com/in… 2020-08-19 2021-02-25
YARA HvS_APT37_webshell_controllers_… 2020-12-15 2020-12-15
YARA HvS_APT37_mimikatz_loader_DF012 2020-12-15 2020-12-15
YARA HvS_APT37_webshell_img_thumbs_a… 2020-12-15 2020-12-15
YARA HvS_APT37_RAT_loader 2020-12-15 2020-12-15
YARA HvS_APT37_cred_tool 2020-12-15 2020-12-15
YARA HvS_APT37_smb_scanner 2020-12-15 2020-12-15
HASH 94d2448d3794ae3f29678a7337473d2… 2020-12-15 2020-12-15
HASH d16163526242508d6961f061aaffe3a… 2020-12-15 2020-12-15
HASH fa0b87c7e07d21001355caf7b5027219 2020-12-15 2020-12-15
HASH 961a66d01c86fa5982e0538215b17fb… 2020-12-15 2020-12-15
HASH f09d9c7783adb4a44d48c77e412319e… 2020-12-15 2020-12-15
HASH 42e4a9aeff3744bbbc0e82fd5b93eb9… 2020-12-15 2020-12-15
HASH 829462fc6d84aae04a962dfc919d0a3… 2020-12-15 2020-12-15
URL https://www.leemble.com/ 2020-12-15 2020-12-15
URL http://support.medicalintheclou… 2020-12-15 2020-12-15
URL https://www.paghera.com/content… 2020-12-15 2020-12-15
URL https://www.ancaaste.it/uploads… 2020-12-15 2020-12-15
URL https://www.fabianiarte.com/pdf… 2020-12-15 2020-12-15
URL https://bootcamp-coders.cnm.edu… 2020-12-15 2020-12-15
URL https://www.forecareer.com/gdca… 2020-12-15 2020-12-15
URL https://95octane.com/ 2020-12-15 2020-12-15
URL https://www.apars-surgery.org/b… 2020-12-15 2020-12-15
URL http://indoweb.org/love/data/co… 2020-12-15 2020-12-15
URL https://www.fabianiarte.com/upl… 2020-12-15 2020-12-15
URL http://www.mannpublicwhseltd.co… 2020-12-15 2020-12-15
URL https://yakufreshperu.com/factu… 2020-12-15 2020-12-15
URL https://turnscor.com/ACT/images… 2020-12-15 2020-12-15
URL https://www.lyzeum.com/popup/po… 2020-12-15 2020-12-15
URL https://www.reseau-canope.fr/co… 2020-12-15 2020-12-15
URL https://www.index-consulting.jp… 2020-12-15 2020-12-15
URL https://www.shikshakibaat.com/c… 2020-12-15 2020-12-15
URL http://www.hirokawaunso.co.jp/w… 2020-12-15 2020-12-15
URL https://www.hansolhope.or.kr/we… 2020-12-15 2020-12-15
URL http://admin.shcpa.co.kr/_asapr… 2020-12-15 2020-12-15
URL https://www.calculadoras.mx/the… 2020-12-15 2020-12-15
URL https://www.fidesarte.it/thumb/… 2020-12-15 2020-12-15
URL https://www.emilypress.com/CMWo… 2020-12-15 2020-12-15
URL https://www.factmag.com/ 2020-12-15 2020-12-15
URL https://acanicjquery.com/slides… 2020-12-15 2020-12-15
URL http://pennontraders.com/assets… 2020-12-15 2020-12-15
URL https://prestigein-am.jp/akita/… 2020-12-15 2020-12-15
URL https://www.gonnelli.it 2020-12-15 2020-12-15
URL https://genieaccount.com/images… 2020-12-15 2020-12-15
URL https://www.ne-ba.org/ 2020-12-15 2020-12-15
URL http://www.anisweb.org/layout/s… 2020-12-15 2020-12-15
URL https://vega.mh-tec.jp/.well-kn… 2020-12-15 2020-12-15
URL https://www.arumdaunresort.com/… 2020-12-15 2020-12-15
DOMAIN cache.io 2020-12-15 2020-12-15
DOMAIN 95octane.com 2020-12-15 2020-12-15
DOMAIN admin.shcpa.co.kr 2020-12-15 2020-12-15
DOMAIN acanicjquery.com 2020-12-15 2020-12-15
DOMAIN comms.io 2020-12-15 2020-12-15
DOMAIN support.medicalinthecloud.com 2020-12-15 2020-12-15
DOMAIN yakufreshperu.com 2020-12-15 2020-12-15
DOMAIN navcache.io 2020-12-15 2020-12-15
DOMAIN pennontraders.com 2020-12-15 2020-12-15
DOMAIN prestigein-am.jp 2020-12-15 2020-12-15
DOMAIN genieaccount.com 2020-12-15 2020-12-15
DOMAIN indoweb.org 2020-12-15 2020-12-15
IPv4 137.74.114.227 2020-12-15 2020-12-15
IPv4 125.206.177.152 2020-12-15 2020-12-15
HASH b70e66d387e42f5f04b69b9eb153060… 2020-08-19 2020-12-15
HASH 02e319af73a33547343b71d5cb1064bc 2020-07-29 2020-12-15

Related Actors

Related Reports

« Back