[MART] - Daily Diary #387 - Lazarus Group Targeting Researchers

CTAS-MAT ctas-mat at appgate.com
Wed Nov 10 22:11:53 UTC 2021 

Hello,

I hope everyone is doing well!

Below is the entry for today.

11/10/2021 - Diary entry #387:

Lazarus is a North Korean state-sponsored APT (Advanced Persistent Threat) group, active since at least 2009, and covered in multiple of our Daily Diaries. "The Lazarus group has been linked to a wide range of cybercriminal activities across the years, including the cyber-attack on Sony Pictures in 2014, the creation of the WannaCry ransomware in 2017, and attacks against cryptocurrency companies that stole millions of US dollars", mentioned in Daily #207.

Now, Lazarus is targeting security researchers, with a trojanized version of the popular IDA Pro reverse engineering software. Security researchers and students, use IDA Pro and other disassemblers like Ghidra to analyze malware or even legitimate applications to try to find vulnerabilities. However, IDA Pro is very expensive, so some people put themselves at risk by downloading a cracked version of IDA, instead of purchasing it.

The trojanized version has been modified to include two malicious DLLs (idahelp.dll and win_fw.dll) that are executed when the software is installed. Next, the loader creates a scheduled task to run another part of the malware that connects, downloads, and executes the NukeSped RAT to spy on researchers.

This is not the first time Lazarus tries to accomplish that and will not be the last. So security researchers and end-users should not download cracked software, since they could have been trojanized with a rootkit or a RAT and compromise the victim's systems.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211110/c8b5ee7a/attachment.htm>

More information about the MART mailing list