疑似Lazarus组织针对韩国的攻击活动分析
Tags
| attack-pattern: | Server - T1583.004 Server - T1584.004 |
Common Information
| Type | Value |
|---|---|
| UUID | 2d82d5c0-40cb-4bb8-8ff7-dd8b47d378f1 |
| Fingerprint | 39498f22beb8ae47 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Aug. 16, 2022, 9:15 p.m. |
| Added to db | Jan. 16, 2023, 4:57 p.m. |
| Last updated | Nov. 17, 2024, 6:53 p.m. |
| Headline | 疑似Lazarus组织针对韩国的攻击活动分析 |
| Title | 疑似Lazarus组织针对韩国的攻击活动分析 |
| Detected Hints/Tags/Attributes | 8/1/52 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://mp.weixin.qq.com/s/w-KF5HUNe8-KlmFl6zLkZw |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 28 | dl.dropboxusercontent.com |
|
| Details | Domain | 37 | blog.alyac.co.kr |
|
| Details | Domain | 58 | ti.qianxin.com |
|
| Details | File | 2 | 下载恶意载荷并将其注入到winword.exe |
|
| Details | File | 2 | 下载到的恶意载荷主要用于释放下载工具ieupdate.exe |
|
| Details | File | 4 | ieupdate.exe |
|
| Details | File | 2 | 目前已知存在两种载荷hvncengine.dll |
|
| Details | File | 2 | 和shellengine.dll |
|
| Details | File | 2 | klec.docx |
|
| Details | File | 2 | temp2.dot |
|
| Details | File | 4 | generic.asm |
|
| Details | File | 1 | d5583e63.dot |
|
| Details | File | 2 | %localappdata%\microsoft\playready下释放ieupdate.exe |
|
| Details | File | 2 | 和error.log |
|
| Details | File | 2 | 之后通过fodhelper.exe |
|
| Details | File | 2 | 绕过uac提升ieupdate.exe |
|
| Details | File | 49 | error.log |
|
| Details | File | 15 | server.txt |
|
| Details | File | 2 | 恶意载荷释放的文件以及error.log |
|
| Details | File | 2 | 将ieupdate.exe |
|
| Details | File | 10 | myapp.exe |
|
| Details | File | 9 | v3l4sp.exe |
|
| Details | File | 2 | %localappdata%\microsoft\playready\ieupdate.exe |
|
| Details | File | 2 | 则关闭先前的ieupdate.exe |
|
| Details | File | 2 | 与从error.log |
|
| Details | File | 2 | 将收集到的信息发送到post2.php |
|
| Details | File | 2 | 应为ieupdate.exe |
|
| Details | File | 2 | hvncengine.dll |
|
| Details | File | 2 | 首先和ieupdate.exe |
|
| Details | File | 2 | 与ieupdate.exe |
|
| Details | File | 3 | 打开explorer.exe |
|
| Details | File | 2 | 启动chrome.exe |
|
| Details | File | 2 | shellengine.dll |
|
| Details | File | 2 | 创建管道用于与cmd.exe |
|
| Details | File | 2 | 并将cmd.exe |
|
| Details | File | 2 | 获取cmd.exe |
|
| Details | File | 2 | 重启cmd.exe |
|
| Details | File | 2 | 进程或者通过cmd.exe |
|
| Details | File | 2 | 又根据模板文件中包含的vba代码以及ieupdate.exe |
|
| Details | File | 2 | 与shellengine.dll |
|
| Details | File | 2 | 带有恶意宏的模板文件和ieupdate.exe |
|
| Details | File | 2 | 通过fodhelper.exe |
|
| Details | File | 2 | 注入到winword.exe |
|
| Details | md5 | 2 | f1a61ee026eac8583ee840d297792478 |
|
| Details | md5 | 2 | 8D7C3F3C56AD3069908901790ADFA826 |
|
| Details | md5 | 2 | c073012bc50b6a4f55f8edcce294a0b4 |
|
| Details | md5 | 2 | 5beade9f8191c6a9c47050d4e3771b80 |
|
| Details | md5 | 1 | edaff44ac5242188d427755d2b2aff94 |
|
| Details | IPv4 | 2 | 23.106.160.173 |
|
| Details | Url | 2 | http://23.106.160.173/temp2.dotm |
|
| Details | Url | 1 | https://blog.alyac.co.kr/4586 |
|
| Details | Url | 2 | https://ti.qianxin.com/blog/articles/analysis-of-the-lazarus-group-attacks-on-korean-companies |