Lazarus APT组织近期针对区块链金融、能源行业的攻击活动分析

2021-09-07 Qianxin Analysis of recent attacks by the Lazarus APT organization targeting the blockchain finance and energy industries

https://www.secrss.com/articles/34142

Thumbnail for Lazarus APT组织近期针对区块链金融、能源行业的攻击活动分析

QiAnXin’s RedDrip team reported Lazarus-attributed spear-phishing samples aimed at blockchain, finance, and oil-and-gas targets, including job-opportunity and security-themed lures packaged as ZIP/LNK files or decoy documents. The LNK chain used cmd.exe and mshta.exe to retrieve obfuscated JScript from infrastructure such as googlesheetpage.org, opened Google Drive decoys, checked security processes, wrote JavaScript into the Temp directory, and copied a configured LNK into the Startup folder for persistence. The activity was linked to earlier Lazarus JavaScript code through strong code similarity, and the report lists representative hashes and domains including product.onlinedoc.dev, share.devprocloud.com, and gsheet.gdocsdown.com.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 790a21734604b374cf260d20770bfc96 2021-09-07 2022-01-13
HASH db315d7b0d9e8c9ca0aa6892202d498b 2021-09-07 2022-01-13
HASH 9f8e51f4adc007bb0364dfafb19a8c11 2021-09-07 2022-01-13
HASH 805949896d8609412732ee7bfb44900a 2021-09-07 2022-01-13
HASH a2be99a5aa26155e6e42a17fbe4fd54d 2021-09-07 2022-01-13
DOMAIN page.googledocpage.com 2021-09-07 2022-01-13
DOMAIN product.onlinedoc.dev 2021-09-07 2022-01-13
DOMAIN signverydn.sharebusiness.xyz 2021-09-07 2022-01-13
DOMAIN gsheet.gdocsdown.com 2021-09-07 2022-01-13
DOMAIN share.devprocloud.com 2021-09-07 2022-01-13
HASH d3a988a9750cb6582310c806fa32d4f1 2021-09-07 2021-09-07
HASH e24bbbd3b32ca2fd3b8fb76f036cb4bb 2021-09-07 2021-09-07
HASH 60214745027c7efa7cc920d43d9c254a 2021-09-07 2021-09-07
HASH 9a06ce2b0b038de9147f93bbb3b3c56c 2021-09-07 2021-09-07
HASH aefa2caddfeb3bccb1e696cc2cd6955a 2021-09-07 2021-09-07
HASH 071107f7bddc8ca6e8a8c3c94931512c 2021-09-07 2021-09-07
HASH e0d73c941e3792f7c753724c0c064de8 2021-09-07 2021-09-07
HASH 2a78bf4487915d91855d0c4661d974a0 2021-09-07 2021-09-07
HASH 5bec2687fd743d23331cd54c987b44de 2021-09-07 2021-09-07
HASH c2e62f04d5234ba46a050bdddf3540cb 2021-09-07 2021-09-07
HASH 1bf36342c0506a58369a3b530b7d0bcc 2021-09-07 2021-09-07
HASH 173edf96e60b3fd520801a6c1adee7e0 2021-09-07 2021-09-07
HASH f5b14052e15aea78d2da695276f585c8 2021-09-07 2021-09-07
HASH 59c328cd766f6ec0c9141bca7da6b807 2021-09-07 2021-09-07
URL https://share.devprocloud.com 2021-09-07 2021-09-07
URL https://www.googlesheetpage.org… 2021-09-07 2021-09-07
URL https://page.googledocpage.com 2021-09-07 2021-09-07
URL https://dshellelink.gcloud-shar… 2021-09-07 2021-09-07
URL https://signverydn.sharebusines… 2021-09-07 2021-09-07
URL https://gsheet.gdocsdown.com 2021-09-07 2021-09-07
URL https://dev.sslsharecloud.net 2021-09-07 2021-09-07
URL https://product.onlinedoc.dev 2021-09-07 2021-09-07
URL https://www.googlesheetpage.org… 2021-09-07 2021-09-07
URL https://www.googlesheetpage.org 2021-09-07 2021-09-07
URL https://sharemanage.elwoodasset… 2021-09-07 2021-09-07
DOMAIN dshellelink.gcloud-share.com 2021-09-07 2021-09-07
DOMAIN sharemanage.elwoodasset.xyz 2021-09-07 2021-09-07
DOMAIN dev.sslsharecloud.net 2021-09-07 2021-09-07
DOMAIN googlesheetpage.org 2021-09-07 2021-09-07

Related Actors

Related Reports

« Back