lazarus group

The Malware ThreatNeedle of Lazarus

consists of a variety of malicious software that is deployed inside the infected company’s network to collect sensitive information. Lazarus used to attack encryption business before and belongs to the malware family “Manuscrypt”. So far, ThreatNeedle has been used to attack organizations in more than 10 countries.

The starting point of this attack started with spear-phishing emails. The email received by the victim contained an attached malicious Word file or a link to a malicious page hosted on the company’s server. Some of the content of the e-mail is information related to the new coronavirus, and the sender is a well-known medical institution.

Opening the malicious attachment and allowing the macro to run will release the program and run the backdoor in memory. The attacker can control the infected device, from tampering with files to executing commands sent by the command server.

Example of infection process

threatneedle process

Of particular interest to this attack is the storage of IT networks (including Internet-connected computers) and restricted and isolated networks (mission-critical assets and highly sensitive data) in offices. No internet connection). The company’s policy is to completely separate the office network from the restricted network and not transmit any information, but the IT system administrator’s computer is connected to these two networks for system maintenance. Lazarus hijacked the administrator’s computer and set up an Apache web server on the router to relay communications to break into an independent network and steal sensitive information.

Lazarus access restricted networks through routers

lazarus attackers access restricted networks through routers

IOCs

http[:]//forum.iron-maiden.ru/core/cache/index.php
http[:]//www.au-pair.org/admin/Newspaper.asp
http[:]//www.au-pair.org/admin/login.asp
http[:]//www.colasprint.com/_vti_log/upload.asp
http[:]//www.djasw.or.kr/sub/popup/images/upfiles.asp
http[:]//www.kwwa.org/popup/160307/popup_160308.asp
http[:]//www.kwwa.org/DR6001/FN6006LS.asp
http[:]//www.sanatoliacare.com/include/index.asp
https[:]//americanhotboats.com/forums/core/cache/index.php
https[:]//docentfx.com/wp-admin/includes/upload.php
https[:]//kannadagrahakarakoota.org/forums/admincp/upload.php
https[:]//polyboatowners.com/2010/images/BOTM/upload.php
https[:]//ryanmcbain.com/forum/core/cache/upload.php
https[:]//shinwonbook.co.kr/basket/pay/open.asp
https[:]//shinwonbook.co.kr/board/editor/upload.asp
https[:]//theforceawakenstoys.com/vBulletin/core/cache/upload.php
https[:]//www.automercado.co.cr/empleo/css/main.jsp
https[:]//www.curiofirenze.com/include/inc-site.asp
https[:]//www.digitaldowns.us/artman/exec/upload.php
https[:]//www.digitaldowns.us/artman/exec/upload.php
https[:]//www.dronerc.it/forum/uploads/index.php
https[:]//www.dronerc.it/shop_testbr/Adapter/Adapter_Config.php
https[:]//www.edujikim.com/intro/blue/view.asp
https[:]//www.edujikim.com/pay/sample/INIstart.asp
https[:]//www.edujikim.com/smarteditor/img/upload.asp
https[:]//www.fabioluciani.com/ae/include/constant.asp
https[:]//www.fabioluciani.com/es/include/include.asp
http[:]//www.juvillage.co.kr/img/upload.asp
https[:]//www.lyzeum.com/board/bbs/bbs_read.asp
https[:]//www.lyzeum.com/images/board/upload.asp
https[:]//martiancartel.com/forum/customavatars/avatars.php
https[:]//www.polyboatowners.com/css/index.php
https[:]//www.sanlorenzoyacht.com/newsl/include/inc-map.asp
https[:]//www.raiestatesandbuilders.com/admin/installer/installer/index.php
http[:]//156.245.16.55/admin/admin.asp
http[:]//fredrikarnell.com/marocko2014/index.php
http[:]//roit.co.kr/xyz/mainpage/view.asp
https[:]//www.waterdoblog.com/uploads/index.asp
http[:]//www.kbcwainwrightchallenge.org.uk/connections/dbconn.asp
https[:]//prototypetrains.com[:]443/forums/core/cache/index.php
https[:]//newidealupvc.com[:]443/img/prettyPhoto/jquery.max.php
https[:]//mdim.in.ua[:]443/core/cache/index.php
https[:]//forum.snowreport.gr[:]443/cache/template/upload.php
https[:]//www.gonnelli.it/uploads/catalogo/thumbs/thumb.asp
https[:]//www.dellarocca.net/it/content/img/img.asp
https[:]//www.astedams.it/photos/image/image.asp
https[:]//www.geeks-board.com/blog/wp-content/uploads/2017/cache.php
https[:]//cloudarray.com/images/logo/videos/cache.jsp


e7aa0237fc3db67a96ebd877806a2c88
b191cc4d73a247afe0a62a8c38dc9137
9e440e231ef2c62c78147169a26a1bd3
b7cc295767c1d8c6c68b1bb6c4b4214f
0f967343e50500494cf3481ce4de698c
09aa1427f26e7dd48955f09a9c604564
07b22533d08f32d48485a521dbc1974d
1c5e4d60a1041cf2903817a31c1fa212
4cebc83229a40c25434c51ee3d6be13e
23b04b18c75aa7d286fea5d28d41a830
319ace20f6ffd39b7fff1444f73c9f5d
45c0a6e13cad26c69eff59fded88ef36
486f25db5ca980ef4a7f6dfbf9e2a1ad
1333967486d3ab50d768fb745dae9af5
07b22533d08f32d48485a521dbc1974d
c86d0a2fa9c4ef59aa09e2435b4ab70c
69d71f06fbfe177fb1a5f57b9c3ae587
7bad67dcaf269f9ee18869e5ef6b2dc1
956e5138940a4f44d1c2c24f122966bd
ed627b7bbf7ea78c343e9fb99783c62b
1a17609b7df20dcb3bd1b71b7cb3c674
fa9635b479a79a3e3fba3d9e65b842c3
3758bda17b20010ff864575b0ccd9e50
cbcf15e272c422b029fcf1b82709e333
9cb513684f1024bea912e539e482473a
36ab0902797bd18acd6880040369731c
db35391857bcf7b0fa17dbbed97ad269
be4c927f636d2ae88a1e0786551bf3c4
728948c66582858f6a3d3136c7fbe84a
06af39b9954dfe9ac5e4ec397a3003fb
29c5eb3f17273383782c716754a3025a
79d58b6e850647024fea1c53e997a3f6
e604185ee40264da4b7d10fdb6c7ab5e
2a73d232334e9956d5b712cc74e01753
1a17609b7df20dcb3bd1b71b7cb3c674
459be1d21a026d5ac3580888c8239b07
87fb7be83eff9bea0d6cc95d68865564
062a40e74f8033138d19aa94f0d0ed6e
9b17f0db7aeff5d479eaee8056b9ac09
9b17f0db7aeff5d479eaee8056b9ac09
420d91db69b83ac9ca3be23f6b3a620b
238e31b562418c236ed1a0445016117c
36ab0902797bd18acd6880040369731c
238e31b562418c236ed1a0445016117c
ad1a93d6e6b8a4f6956186c213494d17
c34d5d2cc857b6ee9038d8bb107800f1
16824dfd4a380699f3841a6fa7e52c6d
aa74ed16b0057b31c835a5ef8a105942
85621411e4c80897c588b5df53d26270
a611d023dfdd7ca1fab07f976d2b6629
160d0e396bf8ec87930a5df46469a960
110e1c46fd9a39a1c86292487994e5bd
ac86d95e959452d189e30fa6ded05069
bea90d0ef40a657cb291d25c4573768d
254a7a0c1db2bea788ca826f4b5bf51a
6f0c7cbd57439e391c93a2101f958ccd
fc9e7dc13ce7edc590ef7dfce12fe017
0aceeb2d38fe8b5ef2899dd6b80bfc08
09580ea6f1fe941f1984b4e1e442e0a5
23f2582a5a06cb2f5d3989ae98a828aec175a712
9a48949edd77b30bd4ee5037b28907ec46c4ce28
d82fd36be57658f54f64de1ddc72109585a0c81b
7975aac9459d4aac50e283a26607b5b0b43c37ac
0ecc687d741c7b009c648ef0de0a5d47213f37ff
775bcd723e8f75f51f612bccbd7ecc4811658508025a3056248e999c7c2b0f9b
ada51ff6003e338075a467c06668e6275774c897e12f2b30ae9a454c632e6a65
e078f73f89c7a33010745830057582194df4434adf5de95fd45741574a9b2b50
bc38fb81112d07358157f2ec50d4b33b566d945ee000257cfadacecf4f572d7b
6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1