The Evolution of Lazarus

2020-04-16 • Carbonblack •

https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/

#HOTCROISSANT #Lazarus #T1082 #T1140 #T1005 #T1113 #T1059 #T1033 #T1132 #T1094 #T1065 #T1024

VMware Carbon Black TAU traces DHS-reported HotCroissant, attributed by DHS to North Korea's Hidden Cobra/Lazarus Group, and compares it with the earlier Rifdoor RAT used in attacks dating back to 2015. HotCroissant decodes its C2 address at startup, sends host information, and accepts a broader command set, while newer samples add UPX packing, RC4-and-base64 string protection, dynamic API lookup, and persistence through a scheduled task named "Java Maintenance64". The analysis highlights shared code and protocol traits between HotCroissant and Rifdoor, including one-byte XOR string decoding, similar host-information collection, socket keepalive settings, stream-cipher-style network encryption, opcode-based commands, and transaction IDs. The findings show an evolution from a simpler Rifdoor backdoor toward a more obfuscated Lazarus RAT with expanded remote-control capabilities, including screen viewing and custom encrypted C2 communications.

Indicators of Compromise

Type	Value	First Seen	Last Seen
YARA	lazarus_hotcroissant_2020_Q1	2020-04-16	2020-04-16
HASH	0a0c09f81a3fac2af99fab077e8c81a…	2020-04-16	2020-04-16
HASH	57d1df9f6c079e67e883a25cfbb124d…	2020-04-16	2020-04-16
HASH	b689815a0c97414e0bba0f6cf720296…	2020-04-16	2020-04-16
HASH	0ea57d676fe7bb7f75387becffffbd7…	2020-04-16	2020-04-16
HASH	7ec13c5258e4b3455f2e8af1c55ac74…	2020-04-16	2020-04-16
HASH	a9915977c810fb2d61be8ff9d177de4…	2020-04-16	2020-04-16
HASH	c9455e218220e81670ddd3c534011a6…	2020-04-16	2020-04-16
IPv4	172.93.110.85	2020-04-16	2020-04-16
IPv4	176.31.15.195	2020-04-16	2020-04-16
IPv4	111.68.7.74	2020-04-16	2020-04-16
HASH	315c06bd8c75f99722fd014b4fb4bd8…	2020-03-09	2020-04-16
HASH	8ee7da59f68c691c9eca1ac70ff0315…	2020-02-25	2020-04-16
IPv4	94.177.123.138	2020-02-25	2020-04-16
IPv4	51.254.60.208	2019-07-30	2020-04-16
IPv4	192.99.223.115	2016-02-23	2020-04-16
IPv4	165.194.123.67	2016-02-23	2020-04-16

Related Actors

Lazarus

Novetta

First seen: Feb 2016

Last seen: Jun 2026

Related Reports

2020-05-09 • 53% Match

Lazarus group leverages Covid themed HWP Document

dinu135dk

#COVID-19 #Lazarus #T1082 #T1140 #T1115 #T1497 #T1036 #T1027 #T1124 #T1057 #T1105 #T1087 #T1106 #T1047 #T1056 #T1033 #T1032 #T1022 #T1063 #T1138 #T1045

Shares tags: Lazarus, T1082, T1140 • Published within a month

2024-07-19 • 43% Match

APT Quarterly Highlights : Q2 2024

Cyfirma

#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584

Shares tags: Lazarus, T1082, T1140

2020-05-15 • 43% Match