ioc[.]one - OSINT Cyber Threat Intelligence Database

Lazarus group leverages Covid themed HWP Document

Tags

cmtmf-attack-pattern:	Data Encrypted Masquerading Obfuscated Files Or Information
country:	South Korea
attack-pattern:	Application Shimming - T1546.011 Clipboard Data - T1414 Domains - T1583.001 Domains - T1584.001 Input Capture - T1417 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Obfuscated Files Or Information - T1406 Process Discovery - T1424 System Information Discovery - T1426 Security Software Discovery - T1418.001 Security Software Discovery - T1518.001 Software Packing - T1027.002 Software Packing - T1406.002 Virtualization/Sandbox Evasion - T1497 Tool - T1588.002 Virtualization/Sandbox Evasion - T1633 Account Discovery - T1087 Application Shimming - T1138 Clipboard Data - T1115 Data Encrypted - T1022 Deobfuscate/Decode Files Or Information - T1140 Execution Through Api - T1106 Remote File Copy - T1105 Input Capture - T1056 Masquerading - T1036 Obfuscated Files Or Information - T1027 Process Discovery - T1057 Security Software Discovery - T1063 Software Packing - T1045 Standard Cryptographic Protocol - T1032 System Information Discovery - T1082 System Owner/User Discovery - T1033 System Time Discovery - T1124 Windows Management Instrumentation - T1047 Execution Through Api Masquerading Remote File Copy

Show in Graph

Common Information

Type	Value
UUID	a7fd7c35-6785-45fb-9148-e4a60d6183f4
Fingerprint	9310add405f9fe60
Analysis status	DONE
Considered CTI value	2
Text language
Published	May 9, 2020, 2:04 p.m.
Added to db	Jan. 30, 2023, 4:35 p.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	Lazarus group leverages Covid themed HWP Document
Title	Lazarus group leverages Covid themed HWP Document
Detected Hints/Tags/Attributes	80/3/29

Source URLs

	Redirection	Url
Details	Source	https://medium.com/@dinu135dk/lazarus-group-leverages-covid-themed-hwp-document-dde6b80d51eb

URL Provider

Details	Provider	Source level domain
Details	medium.com	medium.com

Attributes

Details	Type	#Events	Value
Details	Domain	2	sofa.rs
Details	Domain	2	kingsvc.cc
Details	Domain	3	mbrainingevents.com
Details	Domain	2	afuocolento.it
Details	File	1	reflectivloader.dll
Details	md5	1	8451be72b75a38516e7ba7972729909e
Details	md5	1	fe2d05365f059d48fd972c79afeee682
Details	md5	1	186aa05bfe4739274c3c258be4a5a160
Details	IPv4	1	185.62.56.131
Details	MITRE ATT&CK Techniques	310	T1047
Details	MITRE ATT&CK Techniques	239	T1106
Details	MITRE ATT&CK Techniques	4	T1138
Details	MITRE ATT&CK Techniques	348	T1036
Details	MITRE ATT&CK Techniques	29	T1045
Details	MITRE ATT&CK Techniques	238	T1497
Details	MITRE ATT&CK Techniques	504	T1140
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	152	T1056
Details	MITRE ATT&CK Techniques	86	T1124
Details	MITRE ATT&CK Techniques	433	T1057
Details	MITRE ATT&CK Techniques	179	T1087
Details	MITRE ATT&CK Techniques	230	T1033
Details	MITRE ATT&CK Techniques	24	T1063
Details	MITRE ATT&CK Techniques	1006	T1082
Details	MITRE ATT&CK Techniques	492	T1105
Details	MITRE ATT&CK Techniques	82	T1115
Details	MITRE ATT&CK Techniques	28	T1022
Details	MITRE ATT&CK Techniques	23	T1032
Details	Yara rule	1	import "pe" rule ReflectiveLoader { meta: description = "Detects a unspecified hack tool, crack or malware using a reflective loader no hard match further investigation recommended" reference = "Internal Research" score = 60 strings: $s1 = "ReflectiveLoader" ascii fullword $s2 = "ReflectivLoader.dll" ascii fullword $s3 = "?ReflectiveLoader@@" condition: uint16(0) == 0x5a4d and (1 of them or pe.exports("ReflectiveLoader") or pe.exports("_ReflectiveLoader@4") or pe.exports("?ReflectiveLoader@@YGKPAX@Z")) }