CSW2017_Lazarus.pdf (3 MB)

Seongsu Park's presentation examines Lazarus C2 infrastructure and the Manuscrypt toolset associated with Bluenoroff and broader Lazarus activity. The slides describe multi-stage proxy architecture, first-stage and final C2 servers, frequent use of compromised hosts in Asia, and vulnerable IIS 6.0 or Windows Server 2003 systems tied to CVE-2017-7269 exposure. The malware and tooling section lists active and passive backdoors, HTTP and IIS backdoors, proxy malware, TCP connection harvesting, loaders, and a file wiper. The talk frames these components against Lazarus-linked incidents such as Sony Pictures, Bangladesh Bank, WannaCry, and attacks on Korean financial-sector targets.