Lazarus Under The Hood

2017-04-03 • Kaspersky •

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf

#Whitepaper #Bluenoroff #BangSwift

Attachments

Lazarus_Under_The_Hood_PDF_final.pdf (3 MB)

Kaspersky links tools used against SWIFT-supporting banking systems to Lazarus Group’s broader lateral-movement arsenal based on forensic investigations at banks in two countries. The report separates Bluenoroff as a financially focused Lazarus unit that reuses Lazarus backdoors and access while targeting banks, financial companies, traders, and casinos. It notes that early Bangladesh attribution rested mainly on shared wiper code and was not sufficient on its own, while later incidents involving Trojan-Banker.Win32.Alreay and European financial institutions provided stronger technical evidence. The activity matters because it connects espionage and sabotage-era Lazarus tooling with bank intrusions aimed at financial manipulation and SWIFT-related environments.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	bbd703f0d6b1cad4ff8f3d2ee3cc073c	2017-04-03	2021-05-24
DOMAIN	tradeboard.mefound.com	2017-04-03	2018-09-06
DOMAIN	movis-es.ignorelist.com	2017-04-03	2018-09-06
HASH	5d0ffbc8389f27b0649696f0ef5b3cfe	2016-05-27	2018-03-08
HASH	b135a56b0486eb4c85e304e636996ba1	2017-04-03	2017-04-03
HASH	7260340b7d7b08b7a9c7e27d9226e17…	2017-04-03	2017-04-03
HASH	02f75c2b47b1733f1889d6bbc026157c	2017-04-03	2017-04-03
HASH	459593079763f4ae74986070f47452cf	2017-04-03	2017-04-03
HASH	6eec1de7708020a25ee38a0822a59e88	2017-04-03	2017-04-03
HASH	b9353e2e22cb69a9cd967181107113a…	2017-04-03	2017-04-03
HASH	954f50301207c52e7616cc490b8b4d3c	2017-04-03	2017-04-03
HASH	ad5485fac7fed74d112799600edb2fbf	2017-04-03	2017-04-03
HASH	2ef2703cfc9f6858ad9527588198b1b6	2017-04-03	2017-04-03
HASH	964ba2c98b42e76f087789ab5f64e75…	2017-04-03	2017-04-03
HASH	b9be8d53542f5b4abad4687a891b1c03	2017-04-03	2017-04-03
HASH	77c7a17ccd4775b2173a24cd358ad3f…	2017-04-03	2017-04-03
HASH	d7d724718065b2f386623dfaa8d1c4d…	2017-04-03	2017-04-03
HASH	268dca9ad0dcb4d95f95a80ec621924f	2017-04-03	2017-04-03
HASH	1eff40761643f310a5cd7449230d5cf…	2017-04-03	2017-04-03
HASH	e62a52073fd7bfd251efca9906580839	2017-04-03	2017-04-03
HASH	487f64dc8e98e443886b994b121f4a0…	2017-04-03	2017-04-03
HASH	93e7e7c93cf8060eeafdbe47f679662…	2017-04-03	2017-04-03
HASH	8387ceba0c020a650e1add75d24967f2	2017-04-03	2017-04-03
HASH	2de01aac95f8703163da7633993fb447	2017-04-03	2017-04-03
HASH	07e13b985c79ef10802e75aadfac6408	2017-04-03	2017-04-03
HASH	198760a270a19091582a5bd841fbaec0	2017-04-03	2017-04-03
HASH	9d1db33d89ce9d44354dcba9ebba4c2d	2017-04-03	2017-04-03
HASH	fde55de117cc611826db0983bc054624	2017-04-03	2017-04-03
HASH	06cd99f0f9f152655469156059a8ea25	2017-04-03	2017-04-03
HASH	579e45a09dc2370c71515bd0870b2078	2017-04-03	2017-04-03
HASH	f5e0f57684e9da7ef96dd459b554fded	2017-04-03	2017-04-03
HASH	cb65d885f4799dbdf80af2214ecdc5fa	2017-04-03	2017-04-03
HASH	949e1e35e09b25fca3927d3878d72bf4	2017-04-03	2017-04-03
HASH	a0c02ce526d5c348519905710935e22…	2017-04-03	2017-04-03
HASH	3b1dfeb298d0fb27c31944907d900c1d	2017-04-03	2017-04-03
HASH	09a77c0cb8137df82efc0de5c7fee46e	2017-04-03	2017-04-03
HASH	16a278d0ec24458c8e47672529835117	2017-04-03	2017-04-03
HASH	5fbfeec97e967325af49fa4f65bb2265	2017-04-03	2017-04-03
HASH	0abdaebbdbd5e6507e6db15f628d6fd7	2017-04-03	2017-04-03
HASH	c635e0aa816ba5fe6500ca9ecf34bd06	2017-04-03	2017-04-03
HASH	7413f08e12f7a4b48342a4b530c8b785	2017-04-03	2017-04-03
HASH	2963cd266e54bd136a966bf491507bbf	2017-04-03	2017-04-03
HASH	ce6e55abfe1e7767531eaf1036a5db3d	2017-04-03	2017-04-03
HASH	072245dc2339f8cd8d9d56b479ba5b8…	2017-04-03	2017-04-03
HASH	5ebfe9a9ab9c2c4b200508ae5d91f067	2017-04-03	2017-04-03
HASH	17bc6f5b672b7e128cd5df51cdf10d37	2017-04-03	2017-04-03
HASH	474f08fb4a0b8c9e1b88349098de10b1	2017-04-03	2017-04-03
URL	https://sap.misapor.ch/vishop/i…	2017-04-03	2017-04-03
URL	http://www.eye-watch.in/design/…	2017-04-03	2017-04-03
URL	http://sap.misapor.ch:443/visho…	2017-04-03	2017-04-03
URL	https://sap.misapor.ch/vishop/v…	2017-04-03	2017-04-03
DOMAIN	update.toythieves.com	2017-04-03	2017-04-03
DOMAIN	fpdownload.macromedia.com	2017-04-03	2017-04-03
DOMAIN	exbonus.mrbasic.com	2017-04-03	2017-04-03
IPv4	129.221.254.13	2017-04-03	2017-04-03
IPv4	100.158.242.245	2017-04-03	2017-04-03
IPv4	87.151.206.56	2017-04-03	2017-04-03
IPv4	53.250.8.254	2017-04-03	2017-04-03
IPv4	46.100.250.10	2017-04-03	2017-04-03
IPv4	88.223.23.193	2017-04-03	2017-04-03
IPv4	76.9.60.204	2017-04-03	2017-04-03
IPv4	37.87.25.23	2017-04-03	2017-04-03
IPv4	82.144.131.5	2017-04-03	2017-04-03
IPv4	73.245.147.162	2017-04-03	2017-04-03
IPv4	20.0.0.235	2017-04-03	2017-04-03
IPv4	218.224.125.66	2017-04-03	2017-04-03
IPv4	9.173.0.74	2017-04-03	2017-04-03
IPv4	67.65.229.53	2017-04-03	2017-04-03
IPv4	62.201.235.227	2017-04-03	2017-04-03
HASH	e29fe3c181ac9ddbb242688b151f3310	2017-02-20	2017-04-03
HASH	a107f1046f5224fdb3a5826fa6f940a…	2017-02-16	2017-04-03
HASH	aa115e6587a535146b7493d6c02896a…	2017-02-16	2017-04-03
HASH	85d316590edfb4212049c4490db08c4b	2017-02-03	2017-04-03
HASH	4f0d7a33d23d53c0eb8b34d102cdd66…	2017-02-03	2017-04-03
HASH	c1364bbf63b3617b25b58209e4529d8c	2017-02-03	2017-04-03
HASH	bedceafa2109139c793cb158cec9fa4…	2017-02-03	2017-04-03
HASH	1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae	2017-02-03	2017-04-03
URL	http://www.knf.gov.pl/DefaultDe…	2017-02-03	2017-04-03
URL	https://sap.misapor.ch/vishop/v…	2017-02-03	2017-04-03
DOMAIN	sap.misapor.ch	2017-02-03	2017-04-03
HASH	1d0e79feb6d7ed23eb1bf7f257ce4fee	2016-05-27	2017-04-03