MALWARE THREAT EXCHANGE : Lazarus Group activity reported





Published on: 12 Feb, 2018

It has been intimated that the threat actor group "Lazarus" found actively targeting the financial and technology industries with trojanized office documents. The document, which discusses hiring a ‘Business Development Executive’ for a financial company, contains an embedded VBA macro which executes a payload intended to steal target information from the victim machine.When the malicious document is opened and the VBA macro is executed, it locates a malicious ‘csrss.exe,’ which shares the name of the legitimate process ‘Client Server Runtime Process of Microsoft’ used in Windows, under the path below:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrss[.]exe


The group’s payloads dropped by their lures have the names of system processes such as lsm[.]exe, csrss[.]exe, smss[.]exe, or dwm[.]exe so that they appear to victims as legitimate files.
After locating the binary, ‘csrss[.]exe’ runs via command line with the specific argument ‘/pumpingcore’ and queries system information such as ‘time of machine’, ‘user account name’, and ‘cpu information’.
For examples of the command line arguments, see below:

  1. C:\WINDOWS\system32\cmd[.]exe /c start /b
  2. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.\csrss[.]exe /pumpingcore

It then connects to the group’s command-and-control server, a golf resort website hosted in South Korea, which is likely compromised by attacker.

C2 domain : www[.]palgong-cc[.]co[.]kr
Resolved IP : 221[.]164[.]168[.]185
Country : Republic of Korea

Reported IOC's:

IOCs:

Mal doc:

8170681ceb536131b91e284a560518f666f655c19643154184f762130358e9ca
1288e105c83a6f4bbad8471a9b5bedafeea684a8d8b73a1a7518137d446c2e1e
146ddf7c1d38d65622e3c201f58fc29ea8b163888593bd17143d6464034026bd
5aca6a390464c4880d813ebc04e6822fda9c68597600d27e1c5afaa26405bf6f
6dcd635875625426298a1d7b4ab346ee318b3afa2e6440677ab935e473bf782d
8ba791b9611d5d6dfd40e08e43ad851675faea24c2f5bc4f541e475871999ad3

Dropped payload:

f4e0f145830ec7a9dace5a4b7d5af5f1e93662edcad40c08d57dc825d316174d
2de5e99315a6cf42a46c8286ac4ea0bc842f6d78995833d2cab7de1cdad7dd8d
3759c0fa550a2381f0ff9ab8ad179c1ac4b92f4fd4e038f6814c182501decd90
7fe11b111ea6422cfa1350b24476db828c6bb58edededb7b9e369d1fc918d94a
dbae68e4cab678f2678da7c48d579868e35100f3596bf3fa792ee000c952c0ed
ee3ecf100fc2042cfadeb0509ae4f49647daa1afcee2bd3098912247e155a1e7

Command and control:

  1. 210[.]122[.]7[.]129
  2. 108[.]222[.]149[.]173
  3. 114[.]215[.]107[.]218
  4. 118[.]140[.]97[.]6
  5. 221[.]164[.]168[.]185
  6. 58[.]6[.]21[.]11
  7. 70[.]42[.]52[.]80
Legitimate domains:

  1. www[.]palgong-cc[.]co[.]kr
  2. workers[.]co[.]kr

References: