LAZARUS CONTINUES TO EVADE SECURITY VENDORS

North Korean Threat Actor!

LAZARUS CONTİNUES TO EVADE SECURİTY VENDORS

Lazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau. The group has been active since at least 2009.

Their sensational attacks:

  • They were reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment.
  • In February 2016 one of the largest cyber heists was committed. Lazarus gained access to the Bangladesh Bank’s (BB) SWIFT payment system and reportedly instructed an American bank to transfer money from BB’s account to accounts in The Philippines. The attackers attempted to steal $951M!

LAZARUS CONTİNUES TO EVADE SECURİTY VENDORS

Infection Chain

Email Attachment ==> .docx file ==> Malicious Remote Template

Samples Details

File Namec43dfda63e6e534776eb24d284d0bdf21 115181b49d6e31091de795d957cb5fc
File TypeOOXML Word File
SHA256c43dfda63e6e534776eb24d284 d0bdf21115181b49d6e31091de 795d957cb5fc
MD5da8e135550156706041295e7b7 1ab3e5
File Size2.0 MB
VerdictMalicious
DateSeptember 7th 2022, 12:57:44 pm
File NameMUFG_JOB_DESCRIPTION.docx
File TypeOOXML Word File
SHA256c08ba7c0297cd515c5a24918f6e 1ec705b72cdeea40078494d8b5 1de447b6b8c
MD538e49cd1b7e5d3adb8e0580402 75b6fd
File Size2.6 MB
VerdictMalicious
DateSeptember 7th 2022, 12:49:40 pm

Sample #1 VirusTotal Detection Rate: 1/63

Sample #2 VirusTotal Detection Rate: 1/62

How Fast Is DOCGuard?

DOCGuard detected these samples as malicious in 12 seconds without any signature updates!

DOCGuard responded even faster than ClamAV in MalwareBazaar while others were still waiting.

IOCs

IOC TypeValue
URLhttps[:]//cloud.azure-company[.]net/G%2BUTMW7%2B7YHckDVpI/nUyfKjTe8i/2oVSkbz P5L/XeEc08P4lt/6gcBSBQ%3D/%3D
SHA256c43dfda63e6e534776eb24d284d0bdf21115181b49d6e31091de7 95d957cb5fc
SHA256c08ba7c0297cd515c5a24918f6e1ec705b72cdeea40078494d8b51 de447b6b8c
MD5da8e135550156706041295e7b71ab3e5
MD538e49cd1b7e5d3adb8e058040275b6fd
Comments are closed.