Lazarus APT 분석
2018-11-01 • Somansa • Lazarus APT analysis •
Attachments
SomanSA analyzed an October 2018 Lazarus APT operation against specific South Korean targets that used emails impersonating a lawyer and attached a malicious HWP document disguised as a normal file. The HWP contained a malicious PostScript component with shellcode that contacted a distribution server, selected a payload based on the victim OS version, and downloaded XOR-encoded DLL malware. After decryption and execution, the DLL connected to C2 servers including theinspectionconsultant[.]com, danagloverinteriors[.]com, and as-brant[.]ru to await attacker commands. The report links the activity to Lazarus through reused internal names battle32.dll and battle64.dll, metadata and functions associated with the Sony Pictures attack, and a code string previously seen in Lazarus activity earlier that year.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | f6e1a146543d2903146698da5698b2a… | 2018-11-01 | 2018-11-01 |
| HASH | eee38c632c62ca95b5c66f8d39a18e2… | 2018-11-01 | 2018-11-01 |
| URL | https://flydashi.com/wp-content… | 2018-11-01 | 2018-11-01 |
| URL | https://flydashi.com/wp-content… | 2018-11-01 | 2018-11-01 |
| HASH | 1ff597e8bd590896c17d856188d1f09… | 2018-10-24 | 2018-11-01 |
| HASH | b2dd7f9bb24428b0e2ed30b9373fe03… | 2018-10-24 | 2018-11-01 |
| HASH | 60b56eff7fbc2413d1b755e8b3f2f4e… | 2018-10-24 | 2018-11-01 |
| URL | https://as-brant.ru/wp-content/… | 2018-10-24 | 2018-11-01 |
| URL | http://danagloverinteriors.com/… | 2018-10-24 | 2018-11-01 |
| URL | https://theinspectionconsultant… | 2018-10-24 | 2018-11-01 |
| DOMAIN | flydashi.com | 2018-10-24 | 2018-11-01 |
| DOMAIN | as-brant.ru | 2018-10-24 | 2018-11-01 |
| DOMAIN | theinspectionconsultant.com | 2018-10-24 | 2018-11-01 |
| DOMAIN | danagloverinteriors.com | 2018-10-24 | 2018-11-01 |