The Blockbuster Sequel
2017-04-07 • Paloalto Networks •
https://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/
Unit 42 links newly observed malicious Word documents and payloads targeting Korean-speaking individuals to Lazarus activity previously described in Operation Blockbuster. The documents likely arrived through spear phishing, used Korean decoy content, and relied on VBA macros that reconstructed and XOR-decoded an embedded PE file before writing and executing it on disk. The implant maintained persistence from the temporary directory and communicated with hard-coded IPv4 C2 servers using a fake TLS protocol with misleading SNI values such as major web and collaboration services. Additional related samples shared macro logic, cleanup batch-script behavior, command execution routines, and indirect library-calling techniques with known Lazarus samples, giving defenders concrete code and infrastructure overlaps to hunt.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 032ccd6ae0a6e49ac93b7bd10c7d249… | 2017-04-07 | 2020-03-09 |
| IPv4 | 221.138.17.152 | 2017-04-07 | 2020-02-25 |
| IPv4 | 211.233.13.62 | 2017-04-07 | 2018-04-11 |
| DOMAIN | daedong.or.kr | 2017-04-07 | 2018-03-07 |
| DOMAIN | kosic.or.kr | 2017-04-07 | 2018-03-07 |
| HASH | cec26d8629c5f223a120677a5c7fbd8… | 2017-04-07 | 2017-05-12 |
| IPv4 | 211.49.171.243 | 2017-04-07 | 2017-05-12 |
| IPv4 | 211.236.42.52 | 2017-04-07 | 2017-05-12 |
| HASH | 18579d1cc9810ca0b5230e8671a16f9… | 2017-04-07 | 2017-04-07 |
| HASH | 6a34f4ce012e52f5f94c1a163111df8… | 2017-04-07 | 2017-04-07 |
| HASH | 600ddacdf16559135f6e581d41b30d0… | 2017-04-07 | 2017-04-07 |
| HASH | 8b2c44c4b4dc3d7cf1b71bd6fcc3789… | 2017-04-07 | 2017-04-07 |
| HASH | dd8c3824c8ffdbf1e16da8cee43da01… | 2017-04-07 | 2017-04-07 |
| HASH | 31e8a920822ee2a273eb91ec59f5e93… | 2017-04-07 | 2017-04-07 |
| HASH | d843f31a1fb62ee49939940bf5a9984… | 2017-04-07 | 2017-04-07 |
| HASH | 1efffd64f2215e2b574b9f8892bbb3a… | 2017-04-07 | 2017-04-07 |
| HASH | ff58189452668d8c2829a0e9ba8a98a… | 2017-04-07 | 2017-04-07 |
| HASH | 6ccb8a10e253cddd8d4c4b85d19bbb2… | 2017-04-07 | 2017-04-07 |
| HASH | 19b23f169606bd390581afe1b27c2c8… | 2017-04-07 | 2017-04-07 |
| HASH | 520778a12e34808bd5cf7b3bdf7ce49… | 2017-04-07 | 2017-04-07 |
| HASH | 49ecead98ebc750cf0e1c48fccf5c4b… | 2017-04-07 | 2017-04-07 |
| HASH | efa2a0bbb69e60337b783db326b62c8… | 2017-04-07 | 2017-04-07 |
| HASH | 79fe6576d0a26bd41f1f3a3a7bfeff6… | 2017-04-07 | 2017-04-07 |
| HASH | 9c6a23e6662659b3dee96234e51f711… | 2017-04-07 | 2017-04-07 |
| HASH | dcea917093643bc536191ff70013cb2… | 2017-04-07 | 2017-04-07 |
| HASH | 557c63737bf6752eba32bd688eb046c… | 2017-04-07 | 2017-04-07 |
| HASH | 040d20357cbb9e950a3dd0b0e5c3260… | 2017-04-07 | 2017-04-07 |
| HASH | 8b21e36aa81ace60c797ac8299c8a80… | 2017-04-07 | 2017-04-07 |
| HASH | 9e71d0fdb9874049f310a6ab118ba25… | 2017-04-07 | 2017-04-07 |
| HASH | ff4581d0c73bd526efdd6384bc1fb44… | 2017-04-07 | 2017-04-07 |
| HASH | 8085dae410e54bc0e9f962edc92fa82… | 2017-04-07 | 2017-04-07 |
| HASH | 446ce29f6df3ac2692773e0a9b2a973… | 2017-04-07 | 2017-04-07 |
| HASH | 77a32726af6205d27999b9a564dd7b0… | 2017-04-07 | 2017-04-07 |
| HASH | 0c5cdbf6f043780dc5fff4b7a977a18… | 2017-04-07 | 2017-04-07 |
| HASH | fc19a42c423aefb5fdb19b50db52f84… | 2017-04-07 | 2017-04-07 |
| HASH | 90e74b5d762fa00fff851d2f3fad8dc… | 2017-04-07 | 2017-04-07 |
| HASH | 02d74124957b6de4b087a7d12efa01c… | 2017-04-07 | 2017-04-07 |
| HASH | 09fc4219169ce7aac5e408c7f5c7bfd… | 2017-04-07 | 2017-04-07 |
| HASH | d1e4d51024b0e25cfac56b1268e1de2… | 2017-04-07 | 2017-04-07 |
| HASH | f365a042fbf57ed2fe3fd75b588c46a… | 2017-04-07 | 2017-04-07 |
| HASH | 1322b5642e19586383e663613188b0c… | 2017-04-07 | 2017-04-07 |
| HASH | f618245e69695f6e985168f5e307fd6… | 2017-04-07 | 2017-04-07 |
| HASH | 440dd79e8e5906f0a73b80bf0dc58f1… | 2017-04-07 | 2017-04-07 |
| HASH | 644c01322628adf8574d69afe25c4eb… | 2017-04-07 | 2017-04-07 |
| HASH | dfc420190ef535cbabf63436e905954… | 2017-04-07 | 2017-04-07 |
| HASH | 5c10b34e99b0f0681f79eaba39e3fe6… | 2017-04-07 | 2017-04-07 |
| HASH | f21290968b51b11516e7a86e301148e… | 2017-04-07 | 2017-04-07 |
| HASH | fa45603334dae86cc72e356df9aa5e2… | 2017-04-07 | 2017-04-07 |
| HASH | 1491896d42eb975400958b2c575522d… | 2017-04-07 | 2017-04-07 |
| DOMAIN | kcnp.or.kr | 2017-04-07 | 2017-04-07 |
| IPv4 | 193.189.144.145 | 2017-04-07 | 2017-04-07 |
| IPv4 | 180.67.205.101 | 2017-04-07 | 2017-04-07 |
| IPv4 | 218.103.37.22 | 2017-04-07 | 2017-04-07 |
| IPv4 | 80.153.49.82 | 2017-04-07 | 2017-04-07 |
| IPv4 | 221.161.82.208 | 2017-04-07 | 2017-04-07 |
| IPv4 | 211.233.13.11 | 2017-04-07 | 2017-04-07 |
| IPv4 | 199.26.11.17 | 2017-04-07 | 2017-04-07 |
| IPv4 | 103.224.82.154 | 2017-04-07 | 2017-04-07 |
| IPv4 | 182.70.113.138 | 2017-04-07 | 2017-04-07 |
| IPv4 | 61.100.180.9 | 2017-04-07 | 2017-04-07 |
| IPv4 | 23.115.75.188 | 2017-04-07 | 2017-04-07 |
| IPv4 | 61.78.63.95 | 2017-04-07 | 2017-04-07 |
| IPv4 | 209.105.242.64 | 2017-04-07 | 2017-04-07 |