Lazarus Group Recruitment: Threat Hunters vs Head Hunters

2021-04-27 • Ptsecurity •

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/

#DreamJob #T1082 #T1059.003 #T1070.004 #T1071.001 #T1027 #T1566.003 #T1057 #T1135 #T1132.002 #T1564.001 #T1016 #T1087.001 #T1218.011 #T1106 #T1047 #T1021.002 #T1033 #T1543.003 #T1012 #T1547.009 #T1069.002 #T1136

Thumbnail for Lazarus Group Recruitment: Threat Hunters vs Head Hunters

Positive Technologies describes a Lazarus Group intrusion into a large pharmaceutical company that began with job-offer lure documents delivered to employees, including one case over Telegram. Opening the documents enabled malicious macros on home computers, after which the attackers ran reconnaissance utilities and deployed CommsCacher components with persistence artifacts and encrypted configuration. The compromised hosts connected to forecareer[.]com, a recently registered domain mimicking General Dynamics Mission Systems, and later gave the attackers access through the company RDG environment. Within four days the operators reached servers including a domain controller, file server and additional RDG server, using system utilities, ADFind-like tooling and custom services to expand control.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	c92c158d7c37fea795114fa6491fe5f…	2021-04-27	2022-09-08
HASH	12011c44955fd6631113f68a99447515	2021-04-27	2021-04-27
HASH	1d24d431daf8566a84432a149989c43…	2021-04-27	2021-04-27
HASH	2a0da707ab46c53d9af2f059c3150c62	2021-04-27	2021-04-27
HASH	a63d7e501a17c8917ef96d4b31fa100b	2021-04-27	2021-04-27
HASH	994c02f8c721254a959ed9bc823ab94b	2021-04-27	2021-04-27
HASH	277962f69a26cc7ac55e9dceb83af9d1	2021-04-27	2021-04-27
HASH	73a2aed35aa5fc8621828e11c76d581…	2021-04-27	2021-04-27
HASH	c2c399e9e78dbe447c3971014881ca05	2021-04-27	2021-04-27
HASH	4610a559b21b7e5e62925c115863e82…	2021-04-27	2021-04-27
HASH	2aa3fd1c4b1036efc75bd422875c170…	2021-04-27	2021-04-27
HASH	71e5bb0e7f00bb11518e8d7f619f2b6…	2021-04-27	2021-04-27
HASH	8ec9ff02b58559c851b59189a9d57124	2021-04-27	2021-04-27
HASH	e13888eed2466efaae729f16fc8e348…	2021-04-27	2021-04-27
HASH	e5ff537666b387c39a406cbbb359b2ed	2021-04-27	2021-04-27
HASH	d28318b4ab7a9076eed8f20306ddf68…	2021-04-27	2021-04-27
HASH	4f4f8cf0f9b47d0ad95d159201fe7e7…	2021-04-27	2021-04-27
HASH	fc64890ac49970cccdc80826d40e50f…	2021-04-27	2021-04-27
HASH	d6b7cdd046f0c185e9064e6be4a480a…	2021-04-27	2021-04-27
HASH	c5abf0f2903b0549c20a8f964af7c4d…	2021-04-27	2021-04-27
HASH	963e8cfaa40226ba2e5d516464572446	2021-04-27	2021-04-27
HASH	a7e34ed64337893752eadfbfae9a516…	2021-04-27	2021-04-27
HASH	b42b60fc26bce51269ba6641fdf406a…	2021-04-27	2021-04-27
HASH	665ce00318552c6ddc22e2f5e59cd516	2021-04-27	2021-04-27
HASH	385b758ae75075b540943ce94d6c659…	2021-04-27	2021-04-27
HASH	7e454b22987d8901ab7fc2983d335da…	2021-04-27	2021-04-27
HASH	c85c825f1e2ef66d83dc1cf011f8b2e…	2021-04-27	2021-04-27
HASH	7d235c717a031fc7941525b9ea8f525…	2021-04-27	2021-04-27
HASH	bc731ade86b380e87eb6188b7f2b4255	2021-04-27	2021-04-27
HASH	79076febac7abad26ae1c570c4de41f…	2021-04-27	2021-04-27
HASH	02546fae0355905d341dedb15efa181…	2021-04-27	2021-04-27
HASH	e8cdac8acff9a39d016095c165b7c36…	2021-04-27	2021-04-27
HASH	6db80e381260eab8c93ee51bed40b1d…	2021-04-27	2021-04-27
HASH	3ccec13409045f9a6903a3bee1db474…	2021-04-27	2021-04-27
HASH	56f5252ea7b10a8a2ec0e8b727bb4e8…	2021-04-27	2021-04-27
HASH	7e37d83efd01785acecb1c1748081d3…	2021-04-27	2021-04-27
HASH	188415339edc3b54f6627f57bc77d4d…	2021-04-27	2021-04-27
HASH	4b404db4dbdf9240926fc9f3225e4cd…	2021-04-27	2021-04-27
HASH	17f1c3dc3ad9e0e87e6a131bd93d12c…	2021-04-27	2021-04-27
HASH	9952c3fa4bce7ef68f8f6a50a593c8e…	2021-04-27	2021-04-27
HASH	fcaead308afb9cc4fb31c10ec345b46…	2021-04-27	2021-04-27
HASH	c1d6a5940045b7ff0063b85d8975097…	2021-04-27	2021-04-27
HASH	cca1ee1d92f7dac86077b7b826f0f57…	2021-04-27	2021-04-27
HASH	bc54765b4790b5a0a24768453d7345b…	2021-04-27	2021-04-27
HASH	fe1894d343484cb3dc7ec16bef8252b…	2021-04-27	2021-04-27
HASH	7434c5de43c561780965ba8897a27ca…	2021-04-27	2021-04-27
HASH	e7526de25b1f759c7a7bbe61095cfeb…	2021-04-27	2021-04-27
HASH	415cd5c206baf793708952777ae0c987	2021-04-27	2021-04-27
HASH	e8ae38308c499577ad36758655e62ce…	2021-04-27	2021-04-27
HASH	6e8728af6cc4a7daa06e4ced52a8f45…	2021-04-27	2021-04-27
HASH	c3a6e07ab16c8c887368ec65bed759f…	2021-04-27	2021-04-27
HASH	04bc9e74c65b6df6f6c4ba90db3d85c…	2021-04-27	2021-04-27
HASH	480012756ad26f72e412db0ae7aa183e	2021-04-27	2021-04-27
HASH	3af010659d19b69d8fbc9b9bb917f603	2021-04-27	2021-04-27
HASH	bc1e06ba5f472aaf30d8027dc8562307	2021-04-27	2021-04-27
HASH	5f77737c1f4bd8b1868dc50efce1bbf5	2021-04-27	2021-04-27
HASH	1174fd03271f80f5e2a6435c72bdd02…	2021-04-27	2021-04-27
HASH	058542975392c9636371b88a3f6142d7	2021-04-27	2021-04-27
HASH	6e815cacb43c9bc055399a4fd4922ebc	2021-04-27	2021-04-27
HASH	ceec993673d95fd0af326f1ef7268eb…	2021-04-27	2021-04-27
HASH	e9e691f11cfecb706c29f729ae66024…	2021-04-27	2021-04-27
HASH	0dba9eaac49d78c6913bb4cf246642d…	2021-04-27	2021-04-27
HASH	b2b8a0f74500bc0a93a7e54b06de5020	2021-04-27	2021-04-27
HASH	107953faf48823913b19ab7cf311a2c8	2021-04-27	2021-04-27
HASH	ea9ff940a65e650ef2090148b0e67853	2021-04-27	2021-04-27
HASH	66037fc3c489d099107e2d3cddd33569	2021-04-27	2021-04-27
HASH	610960413c81cf391a8f28fb83b2482…	2021-04-27	2021-04-27
HASH	93d78712eb3f9e81286a9ebcffe6296…	2021-04-27	2021-04-27
HASH	75bf8feeac2b5b1690feab45155a6b9…	2021-04-27	2021-04-27
HASH	e924b7c21b298ab185de26b0b28457b…	2021-04-27	2021-04-27
HASH	2e83293e8da65d54253ca3b5bd87c414	2021-04-27	2021-04-27
HASH	30cc1612fa94be4e02a5c22b2cfbc15…	2021-04-27	2021-04-27
HASH	ea93acf0c278dd59e29ae1402d35db8…	2021-04-27	2021-04-27
HASH	74c71671764610245a392f7e7444694c	2021-04-27	2021-04-27
URL	https://mail.clicktocareers.com…	2021-04-27	2021-04-27
URL	https://mail.clicktocareers.com…	2021-04-27	2021-04-27
URL	http://gbflatinamerica.com/file…	2021-04-27	2021-04-27
URL	http://www.ctevt.org.np/ctevt/p…	2021-04-27	2021-04-27
URL	https://generaldynamics.uk.com/…	2021-04-27	2021-04-27
URL	https://mail.clicktocareers.com…	2021-04-27	2021-04-27
URL	https://generaldynamics.uk.com/…	2021-04-27	2021-04-27
URL	https://akramportal.org/delv/pu…	2021-04-27	2021-04-27
URL	http://www.apars-surgery.org/bb…	2021-04-27	2021-04-27
URL	https://bootcamp-coders.cnm.edu…	2021-04-27	2021-04-27
URL	https://www.forecareer.com/gdca…	2021-04-27	2021-04-27
URL	http://goldllama4.sakura.ne.jp/…	2021-04-27	2021-04-27
URL	https://www.hospitality-partner…	2021-04-27	2021-04-27
URL	https://generaldynamics.uk.com/…	2021-04-27	2021-04-27
URL	https://vega.mh-tec.jp/.well-kn…	2021-04-27	2021-04-27
URL	https://propro.jp/wp-content/do…	2021-04-27	2021-04-27
DOMAIN	inovecommerce.com	2021-04-27	2021-04-27
DOMAIN	gbflatinamerica.com	2021-04-27	2021-04-27
DOMAIN	mail.yandex.ru	2021-04-27	2021-04-27
DOMAIN	hospitality-partners.co.jp	2021-04-27	2021-04-27
DOMAIN	goldllama4.sakura.ne.jp	2021-04-27	2021-04-27
DOMAIN	propro.jp	2021-04-27	2021-04-27
IPv4	166.62.39.82	2021-04-27	2021-04-27
IPv4	162.241.219.119	2021-04-27	2021-04-27
IPv4	92.249.45.182	2021-04-27	2021-04-27
IPv4	164.46.106.43	2021-04-27	2021-04-27
IPv4	182.48.49.233	2021-04-27	2021-04-27
IPv4	118.128.190.191	2021-04-27	2021-04-27
IPv4	150.60.192.67	2021-04-27	2021-04-27
IPv4	23.152.0.232	2021-04-27	2021-04-27
IPv4	198.133.183.67	2021-04-27	2021-04-27
HASH	8ed89d14dee005ea59634aade15dba97	2021-01-28	2021-04-27
HASH	9c906c2f3bfb24883a8784a92515e63…	2021-01-28	2021-04-27
URL	https://inovecommerce.com.br/pu…	2021-01-26	2021-04-27
DOMAIN	mail.clicktocareers.com	2021-01-26	2021-04-27
DOMAIN	inovecommerce.com.br	2021-01-26	2021-04-27
DOMAIN	akramportal.org	2021-01-26	2021-04-27
DOMAIN	clicktocareers.com	2021-01-26	2021-04-27
DOMAIN	vega.mh-tec.jp	2020-12-15	2021-04-27
DOMAIN	forecareer.com	2020-12-15	2021-04-27
DOMAIN	apars-surgery.org	2020-12-15	2021-04-27
DOMAIN	bootcamp-coders.cnm.edu	2020-12-15	2021-04-27
IPv4	54.64.30.175	2020-12-15	2021-04-27

Related Reports

2021-05-21 • 30% Match

一路向北：Konni APT组织以“朝鲜局势”相关主题为诱饵对俄进行持续定向攻击活动

Threat Book

#Konni #T1082 #T1059.003 #T1140 #T1041 #T1071.001 #T1059.007 #T1204.002 #T1566.001 #T1573.001 #T1132.002 #T1055.001 #T1033 #T1569.002 #T1543.003 #T1202 #T1027.001

Shares tags: T1082, T1059.003, T1071.001 • Published within a month

2025-08-13 • 29% Match

APT PROFILE – LAZARUS GROUP

Cyfirma

#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1218.010 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1573 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004

Shares tags: T1082, T1059.003, T1070.004

2021-12-02 • 29% Match

APT Profile: Who is Lazarus Group?

SOCRadar

#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1573.001 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004 #T0865

Shares tags: T1082, T1059.003, T1070.004

2021-02-25 • 29% Match

Lazarus targets defense industry with ThreatNeedle

Kaspersky

#ThreatNeedle #Defense #Lazarus #T1082 #T1059.003 #T1140 #T1070.004 #T1041 #T1071.001 #T1112 #T1083 #T1204.002 #T1566.002 #T1057 #T1547.001 #T1135 #T1070.002 #T1049 #T1132.002 #T1016 #T1036.004 #T1090.001 #T1036.003 #T1560.001 #T1021.002 #T1033 #T1569.002 #T1543.003 #T1104 #T1557.001 #T1070.003 #T1007 #T1572

Shares tags: T1082, T1059.003, T1070.004

2021-05-21 • 28% Match

APT Threat Landscape in Japan 2020

Macnica

#Trend #CloudDragon #T1140 #T1071.001 #T1027 #T1204.002 #T1071 #T1518.001 #T1566.001 #T1547.001 #T1053.005 #T1059.001 #T1036.005 #T1574.002 #T1133 #T1055.012 #T1218.011 #T1021.001 #T1574.001 #T1047 #T1560.001 #T1543.003 #T1087.002 #T1482 #T1070.001 #T1003.002 #T1053.002 #T1003.003

Shares tags: T1071.001, T1027, T1218.011 • Published within a month

2023-09-27 • 25% Match

Dark River. You can't see them, but they're there

Ptsecurity

#CVE-2021-40444 #MataDoor #DarkRiver #T1082 #T1059.003 #T1140 #T1005 #T1041 #T1046 #T1112 #T1083 #T1071 #T1124 #T1057 #T1566.001 #T1620 #T1129 #T1622 #T1135 #T1027.002 #T1090.003 #T1008 #T1571 #T1049 #T1016 #T1018 #T1074.001 #T1218.011 #T1036.004 #T1218.010 #T1106 #T1090.001 #T1095 #T1033 #T1543.003 #T1090.002 #T1560.002 #T1132 #T1030 #T1572 #T1572.001 #T1572.002

Shares tags: T1082, T1059.003, T1057 • Same author: Ptsecurity

« Back