Published on: 12 Feb, 2018
It has been intimated that the threat actor group "Lazarus" found actively targeting the financial and technology industries with trojanized
office documents. The document, which discusses hiring a ‘Business Development Executive’ for a financial company, contains an embedded VBA macro
which executes a payload intended to steal target information from the victim machine.When the malicious document is opened and the VBA macro is
executed, it locates a malicious ‘csrss.exe,’ which shares the name of the legitimate process ‘Client Server Runtime Process of Microsoft’ used in
Windows, under the path below:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrss[.]exe
The group’s payloads dropped by their lures have the names of system processes such as
lsm[.]exe, csrss[.]exe, smss[.]exe, or dwm[.]exe so that they appear to victims as legitimate files.
After locating the binary, ‘csrss[.]exe’ runs via command line with the specific argument ‘/pumpingcore’
and queries system information such as ‘time of machine’, ‘user account name’, and ‘cpu information’.
For examples of the command line arguments, see below:
- C:\WINDOWS\system32\cmd[.]exe /c start /b
- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.\csrss[.]exe /pumpingcore
It then connects to the group’s command-and-control server, a golf resort website hosted in South Korea, which is likely compromised by attacker.
C2 domain : www[.]palgong-cc[.]co[.]kr
Resolved IP : 221[.]164[.]168[.]185
Country : Republic of Korea
Reported IOC's:
IOCs:
Mal doc:
8170681ceb536131b91e284a560518f666f655c19643154184f762130358e9ca
1288e105c83a6f4bbad8471a9b5bedafeea684a8d8b73a1a7518137d446c2e1e
146ddf7c1d38d65622e3c201f58fc29ea8b163888593bd17143d6464034026bd
5aca6a390464c4880d813ebc04e6822fda9c68597600d27e1c5afaa26405bf6f
6dcd635875625426298a1d7b4ab346ee318b3afa2e6440677ab935e473bf782d
8ba791b9611d5d6dfd40e08e43ad851675faea24c2f5bc4f541e475871999ad3
Dropped payload:
f4e0f145830ec7a9dace5a4b7d5af5f1e93662edcad40c08d57dc825d316174d
2de5e99315a6cf42a46c8286ac4ea0bc842f6d78995833d2cab7de1cdad7dd8d
3759c0fa550a2381f0ff9ab8ad179c1ac4b92f4fd4e038f6814c182501decd90
7fe11b111ea6422cfa1350b24476db828c6bb58edededb7b9e369d1fc918d94a
dbae68e4cab678f2678da7c48d579868e35100f3596bf3fa792ee000c952c0ed
ee3ecf100fc2042cfadeb0509ae4f49647daa1afcee2bd3098912247e155a1e7
Command and control:
- 210[.]122[.]7[.]129
- 108[.]222[.]149[.]173
- 114[.]215[.]107[.]218
- 118[.]140[.]97[.]6
- 221[.]164[.]168[.]185
- 58[.]6[.]21[.]11
- 70[.]42[.]52[.]80
Legitimate domains:
- www[.]palgong-cc[.]co[.]kr
- workers[.]co[.]kr
References:
