# Snow Abuse: Analysis of the Suspected Lazarus Attack Activities against South Korean Companies Original red raindrops team [qianxin threat intelligence center](javascript:void(0);) 2022-04-11 00:27 included in the collection #东亚地区 8 #APT 59 #Lazarus 4 ## overview Spear phishing attacks have long been one of the most convenient ways to get into an enterprise network. Spear phishing attacks are often used against large corporations, banks, or influencers, and most commonly target high-level employees who have access to rich information, or employees in departments that need to open a lot of foreign documents at work. Generally speaking, attack files are macro code written in Microsoft Word or JavaScript code, which are very small, have no superfluous programs built into the files, and whose sole purpose is to download more destructive malware on the target object's computer. Once downloaded, malware spreads further through the targeted network or is only used to steal all available information, helping attackers find targets in the network. recently, the red raindrop team of the qianxin threat intelligence center has captured a large number of spear phishing attack samples against south korean companies in the daily threat hunt. it is infected through a vulnerable document or chm file, and distinguishes the number of bits of the current operating system, and executes macro code corresponding to the number of bits of the system to achieve the best attack effect. after research, the characteristics of this attack are as follows: 1. THE INITIAL INFECTED DOCUMENTS ARE DOWNLOADED FOR SUBSEQUENT EXECUTION USING CVE-2017-0199 REMOTE CODE EXECUTION VULNERABILITY; 2. The subsequent attack uses the UAC Bypass technology of the local RPC interface to elevate the privilege; 3. subsequent load packing interference analysis and use simple means to detect whether it is in the sandbox; ## sample analysis ### 0x01 decoy file ----- Office/WordPad remote code execution vulnerability, its vulnerability number is CVE 2017-0199, and the decoy analysis of the related samples is as follows: the bait file induces the victim to click "enable content" in a number of ways. for example, 긴급재난지원금신청서양식 .docx (emergency disaster assistance request form) induces users to click on enable content by displaying garbled file content. ----- The bait file 대한광산개발(주) .docx (Daehan Mine Development Shares) shows that the document was produced by Windows 11, inducing the victim to click on the enabled content. ----- or fake microsoft's error message, the same purpose is to induce users to click to enable content. ----- ### 0x02 malicious macro Here, take 통지서 .docx (notification) as an example, click on the execution bait fil e, access the remote template http://VM2rJOnQ.naveicoipg.online/ACMS/0hUxr3Lx/p olice0?mid=h1o5cYfJ download execution, and the file downloaded and executed is a s follows. ----- (32Bit/64Bit) from the outside: mount page for payload: the payload is then decrypted and injected into the winword .exe process. ----- ### 0x03 injected code the injected code is first anti-sandboxed in the main function. At the same time, it will detect whether the currently running process contains v3l 4sp .exe, and if so, exit the program. v3l4sp .exe a subroutine of south Korean AhnLa b's free antivirus software V3 Lite, indicating that the target of this attack is not for in dividual users in South Korea. ----- Subsequently, the error .log is released in the %AppData%Local\Microsoft\TokenB roker directory, and "s/o2ldz9l95itdj2e/error.txt?dl=0", and the Release RuntimeBroke r .exe is decrypted in the same directory. The UAC Bypass technology of the native RPC interface is then used to perform the RuntimeBroker .exe. ----- finally, it is persisted through the registry startup key. ----- RuntimeBroker .exe interfered with the researchers' analysis by adding a UPX shel l, and after dehulling, it was found that it also detected the sandbox in the main func tion, and also detected whether the currently running process contained v3l4sp.exe a nd AYAgent.aye. AYAgent.aye is part of ALYac, south Korea's Internet security suite, es tsoft. Verify whether the currently running program path is a RuntimeBroker .exe in the %AppData%Local\Microsoft\TokenBroker directory, or delete itself if it is not, which is to evade dynamic detection of the sandbox. ----- It is then added to windows Defender's exclusion list using the PowerShell command. Read the contents of the released error .log file and stitch it together with the URL dl.dropboxusercontent.com of the cloud server Dropbox, so that it acts as an intermediary to pass the C2 information. ----- The user information is then uploaded to the hxxp://naveicoipg.online/post2.php in the specified format "uid=%s&avtype=%d&avtype=%d&majorv=%d", where the va lue of avtype is 1 when no soft kill is specified, 2 when v3l4sp .exe is present, and 3 w hen AYAgent.aye is present. Subsequent visits naveicoipg.online's "/fecommand.acm" page to get the payload, where uid is the victim ID of the previous callback C2. ----- the obtained instruction content calls the function sub_401410 executed, and the malware maintains an array of structs of size 100 to record the executed instructions. ----- If the instruction has not been executed before, the calling function sub_401280 download the corresponding subsequent payload from C2, download the subsequent URL format is "/< instruction name >", and the obtained content will be executed as a PE file. ----- unfortunately, subsequent content is not available as of the time of analysis. ## traceability and correlation By searching the database for the keyword "fecommand.acm", we discovered another way to spread attack samples, distributed by using CHM files. ----- the short link in the bait chm file was redirected to the actual website of the korean centers for disease control and prevention, which echoed the bait file name, making it easier for the victim to get caught. After comparison, the chmext .exe is basically the same as the above injected cod e, only C2 is different, chmext .exe C2 is naveicoipc.tech. IN THE PROCESS OF CONTINUING TO TRACE THE SOURCE, WE ALSO FOUND PHISHING EMAILS THAT IMPERSONATED THE KOREAN INTERNET INFORMATION CENTER COMBINED WITH VARIOUS INDICATIONS WE SUSPECT THAT THIS ATTACK IS ----- INDIVIDUAL ORDINARY USER, THE ATTACK METHODS ARE COMPLEX AND CHANGEABLE, ITS FOLLOW-UP REAL PAYLOAD IS RELATIVELY HIDDEN, AND THE NUMBER OF ATTACK SAMPLES IS LARGE, AND WE HAVE CAPTURED A LARGE NUMBER OF ATTACK SAMPLES IN A SHORT PERIOD OF TIME. Combing through the APT organization targeting South Korea, we found that this attack is suspected to be from the APT organization Lazarus, as early as a few years a go, the Lazarus organization was good at using the cloud server Dropbox to carry out the attack, followed by the February malwarebytes labs disclosed Lazarus's report [[1]], Lazarus also created the RuntimeBroker process in the attack process. ----- Coincidentally, in the process of tracing the origin of C2, we found that as early a s March 25, the foreign security company Rewterz made an early warning of the navei coipc.tech domain name [[2]], and the URL link in its warning was basically consistent w ith the sample link we captured earlier. ----- ## summary as of the end of the draft, there are still new attack samples being discovered, whi ch is worth our vigilance! PHISHING EMAILS HAVE ALWAYS BEEN ONE OF THE IMPORTANT MEANS OF ATTA CKS BY APT ORGANIZATIONS, AND MOST USERS ARE NOT SECURITY-CONSCIOUS AN D ARE EASILY CONFUSED BY SPOOFED EMAILS, DISGUISED DOCUMENTS, AND DECEP TIVE HEADERS. THE QIANXIN RED RAINDROP TEAM REMINDS USERS TO BEWARE OF PHISHING ATTACKS, NEVER OPEN LINKS OF UNKNOWN ORIGIN SHARED ON SOCIAL MEDIA, DO NOT CLICK ON EMAIL ATTACHMENTS THAT EXECUTE UNKNOWN SOURCE S, DO NOT RUN UNKNOWN FILES WITH EXAGGERATED TITLES, AND DO NOT INSTALL ----- UPDATE AND INSTALL PATCHES. If you need to run, install an application of unknown origin, you can first use the Qianxin Threat Intelligence File Deep Analysis Platform (https://sandbox.ti.qianxin.co m/sandbox/page) to identify. At present, it supports in-depth analysis of files in vario us formats, including Windows and Android platforms [[3].] AT PRESENT, THE FULL RANGE OF THREAT INTELLIGENCE DATA BASED ON THE QI ANXIN THREAT INTELLIGENCE CENTER, INCLUDING THE QIANXIN THREAT INTELLIGEN CE PLATFORM (TIP), TIANQING, TIANYAN ADVANCED THREAT DETECTION SYSTEM, QI ANXIN NGSOC, ANDRXIN SITUATIONAL AWARENESS, ETC., HAVE SUPPORTED THE AC CURATE DETECTION OF SUCH ATTACKS. ## IOCs **MD5** 44BE20C67A80AF8066F9401C5BEE43CB 65ABAD905E80F8BC0A48E67C62E40119 1FD8FEF169BF48CFDCF506151264128C 7B07CD6BB6B5D4ED6A2892A738FE892B 9AD00E513364E9F44F1B6712907CBA9B 15A7125FE9E629122E1D1389062AF712 749CCB545B74B8EB9DFF57FCB6A07020 1769A818548A0B52C7BE2A0A213A9384 ----- B587851D8A42FC8C23F638BBC2EB866B BDFB5071F5374F5C0A3714464B1FA5E6 C0B24DC8F53227CE0C64439B302CA930 619649CE3FC1682C702D9159E778F8FD D19DD02CF375D0D03F557556D5207061 D47F7FCBE46369C70147A214C8189F8A E3FFDA448DF223B240A20DAE41E20CEF 825730D9DD22DBAE7F2BD89131466415 4382384FEB5AD6B574F68E431006905E AAD5A9F3BE23D327B9122A7F7E102443 556ABC167348FE96ABFBF5079C3AD488 **URL** http://VM2rJOnQ.naveicoipg.online/ACMS/0hUxr3Lx/police0?mid=h1o5cYfJ http://twlekqnwl.naveicoipg.online/ACMS/0y0fMbUp/supportTemplate7? cid=yypwjelnblw http://olsnvolqwe.naveicoipg.online/ACMS/0y0fMbUp/supportTemplate5? cid=pqwnlqwjqg http://vnwoei.naveicoipg.online/ACMS/0s4AtPuk/wwwTemplate?cid=nnwoieopq http://jvnquetbon.naveicoipg.online/ACMS/0pxCtBMz/policeTemplate1? mid=ksndoqiweyp http://AOsM8Cts.naveicoipg.online/ACMS/0ucLxIjP/toyotaTemplate8?tid=CN2xsRPI http://ADzJvazJ.naveicoipg.online/ACMS/0ucLxIjP/toyotaTemplate1?tid=2uiSmhx2 http://CEcOMTp3.naveicoipg.online/ACMS/0o0WQher/ttt3?qwe=v0OSWog5 http://123fisd.naveicoipg.online/ACMS/0mFCUrPf/temp04060?ttuq=qcnvoiek http://naveicoipc.tech/ACMS/0Mogk1Cs/topAccounts?uid=3490blxl http://1xJOiKZd.naveicoipa.tech/ACMS/Cjtpp17D/Cjtpp17D64.acm http:// uzzmuqwv.naveicoipc.tech/ACMS/1uFnvppj/1uFnvppj32.acm http://naveicoipd.tech/ACMS/018ueCdS/blockchainTemplate http://bcvbert.naveicoipe.tech/ACMS/01AweT9Z/01AweT9Z64.acm http://xjowihgnxcvb.naveicoipf.online/ACMS/07RRwrwK/07RRwrwK64.acm ## reference links [1]. https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus apt-leverages-windows-update-client-github-in-latest-campaign/ ----- cs-6 [3]. https://ti.qianxin.com/portal Click to read the original article to ALPHA 5.0 instantly assist in threat research Included in the collection #APT 59 previous Lazarus Arsenal Update: Andariel Recent Attack Sample Analysis next analysis of the recent attack activities of the "blind eagle" in forging judicial bans Modified on 2022-04-11 [Read more](javascript:;) People who liked this content also liked ### the mysterious hacking organization that hacked microsoft, samsung, and nvidia was exposed, and behind it was a 16-year-old british teenager who... big data digest ### Facebook blocks cyberattacks against Ukraine by Russia and Belarus; Ubuntu developers terminate russian operations 21CTO -----