Multi-universe of adversary: Multiple campaigns of Lazarus group and its connect

2021-12-21 Kaspersky

https://www.seongsupark.com/post/vb2021-%ED%8E%98%EC%9D%B4%ED%8D%BC-%ED%95%9C%EA%B8%80-%EB%B2%88%EC%97%AD%EB%B3%B8-multi-universe-of-adversary-multiple-campaigns-of-lazarus-group-and-its-connect

This Korean translation of a VB2021 paper explains how Lazarus activity fragmented after 2018 into multiple clusters that share roots in Manuscrypt but differ in delivery, tooling, and mission focus. It describes AppleJeus attacks against cryptocurrency targets, ThreatNeedle infections delivered through watering holes, spearphishing documents, and trojanized software, and DeathNote/Dream Job operations that shifted from cryptocurrency exchanges toward defense-industry lures. The excerpt also covers Bookcode supply-chain and watering-hole activity, CookieTime malware using encoded cookie values and steganographic command delivery, and the MATA/Dacls framework across Windows, Linux, and macOS. The report is useful for DPRK tracking because it emphasizes cluster boundaries, overlapping payloads such as Manuscrypt/Fallchill and COPPERHEDGE, and the need to avoid treating every Lazarus-linked intrusion as a single homogeneous campaign.

Indicators of Compromise

Type Value First Seen Last Seen
HASH d1c652b4192857cb08907f0ba1790976 2020-05-15 2023-04-12
HASH b8df94ce84201b17684e0d368ed38024 2021-12-21 2021-12-21
HASH 05ae0af44b62f4df432b281809e90f67 2021-12-21 2021-12-21
HASH 140a5572e0171cfe393321017b9cdee9 2021-12-21 2021-12-21
HASH ddf6bd6ad5e40b236492d06e40d197ca 2021-12-21 2021-12-21
HASH 74b16e70e721cdb6cd04fc8220c93dd2 2021-12-21 2021-12-21
HASH c34d5d2cc857b6ee9038d8bb107800f1 2021-12-21 2021-12-21
HASH 4c1d8c4142f2a260f69ec8d597ba51fa 2021-12-21 2021-12-21
HASH 06adca7a28b6d1d983912f7f544ee413 2021-12-21 2021-12-21
HASH c04e50275ab9c4b22f39bcd61db0da76 2021-12-21 2021-12-21
HASH e441f021b1c8a3d481be0a5312378d6f 2021-12-21 2021-12-21
HASH d59a0a04abcb38fdb391a09972aa3ff4 2021-12-21 2021-12-21
HASH 69da2c56a56fecb981e326cb6ea42704 2021-12-21 2021-12-21
HASH da50a7a05abffb806f4a60c461521f41 2020-07-22 2021-12-21
HASH 859e7e9a11b37d355955f85b9a305fec 2020-07-22 2021-12-21
HASH 7b068dfbea310962361abf4723332b3a 2020-07-22 2021-12-21
HASH ec05817e19039c2f6cc2c021e2ea0016 2020-07-22 2021-12-21
HASH 7228705813d5bc6c6a62fc53ac019344 2020-05-15 2021-12-21
HASH bbbcf6da5a4c352e8846bf91c3358d5c 2018-08-23 2021-12-21
HASH 0bdb652bbe15942e866083f29fb6dd62 2018-08-23 2021-12-21
HASH d7089e6bc8bd137a7241a7ad297f975d 2018-08-23 2021-12-21
HASH 3d0355ff78dcc979b3f83a679b6ba794 2018-07-08 2021-12-21

Related Actors

Related Reports

2021-12-02 • 80% Match
#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1573.001 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004 #T0865
Shares tag: Lazarus • Published within a month
« Back