Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack | WeLiveSecurity
Tags
cmtmf-attack-pattern: Acquire Infrastructure Application Layer Protocol Develop Capabilities Event Triggered Execution Obfuscated Files Or Information Stage Capabilities
country: Argentina Brazil North Korea Georgia Romania
maec-delivery-vectors: Watering Hole
attack-pattern: Acquire Infrastructure Data Direct Acquire Infrastructure - T1583 Application Layer Protocol - T1437 Cloud Accounts - T1078.004 Cloud Accounts - T1585.003 Cloud Accounts - T1586.003 Create Process With Token - T1134.002 Dead Drop Resolver - T1102.001 Dead Drop Resolver - T1481.001 Develop Capabilities - T1587 Domains - T1583.001 Domains - T1584.001 Embedded Payloads - T1027.009 Encrypted Channel - T1521 Encrypted Channel - T1573 Establish Accounts - T1585 Event Triggered Execution - T1624 Event Triggered Execution - T1546 Exfiltration Over C2 Channel - T1646 File And Directory Discovery - T1420 File Deletion - T1070.004 File Deletion - T1630.002 Impair Command History Logging - T1562.003 Impair Defenses - T1562 Impair Defenses - T1629 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Phishing - T1660 Phishing - T1566 Search Open Websites/Domains - T1593 Server - T1583.004 Server - T1584.004 Social Media - T1593.001 Software - T1592.002 Spearphishing Link - T1566.002 Spearphishing Link - T1598.003 Stage Capabilities - T1608 Standard Encoding - T1132.001 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 System Services - T1569 Web Protocols - T1071.001 Web Protocols - T1437.001 Virtualization/Sandbox Evasion - T1497 Time Based Evasion - T1497.003 Unix Shell Configuration Modification - T1546.004 Tool - T1588.002 Upload Malware - T1608.001 Virtualization/Sandbox Evasion - T1633 Access Token Manipulation - T1134 Standard Application Layer Protocol - T1071 Connection Proxy - T1090 Data Encoding - T1132 Deobfuscate/Decode Files Or Information - T1140 Exfiltration Over Command And Control Channel - T1041 File And Directory Discovery - T1083 File Deletion - T1107 Indicator Removal On Host - T1070 Obfuscated Files Or Information - T1027 Spearphishing Link - T1192 User Execution - T1204 User Execution
Show in Graph
Common Information
Type Value
UUID aeb6b3e0-490d-45e1-a13a-a414595840d9
Fingerprint 851f991b4b370af1
Analysis status DONE
Considered CTI value 2
Text language
Published April 20, 2023, 11:30 a.m.
Added to db June 5, 2023, 10:13 a.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack
Title Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack | WeLiveSecurity
Detected Hints/Tags/Attributes 160/4/56
Source URLs
Redirection Url
Details Source https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/
URL Provider
Details Provider Source level domain
Details welivesecurity.com www.welivesecurity.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 33 WeLiveSecurity https://blog.eset.com/feed 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 41 
journalide.org
Details Domain 8 
offer.pdf.zip
Details Domain 7 
apdl.cf
Details Domain 30 
pdf.zip
Details Domain 14 
od.lk
Details File 50 
d3dcompiler_47.dll
Details File 7 
guard64.dll
Details File 7 
ualapi.dll
Details File 28 
wlbsctrl.dll
Details File 9 
offer.pdf
Details File 2 
p2p_dll.dll
Details File 7 
samcli.dll
Details File 16 
sechost.dll
Details File 16 
iertutil.dll
Details File 3 
djour.php
Details File 2 
hsbc_job_offer.pdf
Details sha1 3 
2acc6f1d4656978f4d503929b8c804530d7e7cf6
Details sha1 3 
dcef83d8ee080b54dc54759c59f955e73d67aa65
Details sha1 3 
0ca1723afe261cd85b05c9ef424fc50290dce7df
Details sha1 4 
f6760fb1f8b019af2304ea6410001b63a1809f1d
Details sha1 3 
65122e5129fc74d6b5ebafcc3376abae0145bc14
Details sha1 3 
d288766fa268bc2534f85fd06a5d52264e646c47
Details sha1 3 
58b0516d28bd7218b1908fb266b8fe7582e22a5f
Details sha1 3 
1c66e67a8531e3ff1c64ae57e6edfde7bef2352d
Details sha1 5 
5b03294b72c0caa5fb20e7817002c600645eb475
Details sha1 3 
7491bd61ed15298ce5ee5ffd01c8c82a2cdb40ec
Details sha1 4 
3a63477a078ce10e53dfb5639e35d74f93cefa81
Details sha1 4 
9d8bade2030c93d0a010aa57b90915eb7d99ec82
Details sha1 4 
3b88cda62cdd918b62ef5aa8c5a73a46f176d18b
Details sha1 7 
cad1120d91b812acafef7175f949dd1b09c6c21a
Details IPv4 3 
23.254.211.230
Details IPv4 3 
38.108.185.79
Details IPv4 3 
38.108.185.115
Details IPv4 4 
172.93.201.88
Details MITRE ATT&CK Techniques 6 
T1593.001
Details MITRE ATT&CK Techniques 15 
T1584.001
Details MITRE ATT&CK Techniques 96 
T1587.001
Details MITRE ATT&CK Techniques 8 
T1585.003
Details MITRE ATT&CK Techniques 49 
T1608.001
Details MITRE ATT&CK Techniques 365 
T1204.002
Details MITRE ATT&CK Techniques 183 
T1566.002
Details MITRE ATT&CK Techniques 11 
T1546.004
Details MITRE ATT&CK Techniques 24 
T1134.002
Details MITRE ATT&CK Techniques 504 
T1140
Details MITRE ATT&CK Techniques 40 
T1027.009
Details MITRE ATT&CK Techniques 9 
T1562.003
Details MITRE ATT&CK Techniques 297 
T1070.004
Details MITRE ATT&CK Techniques 57 
T1497.003
Details MITRE ATT&CK Techniques 585 
T1083
Details MITRE ATT&CK Techniques 442 
T1071.001
Details MITRE ATT&CK Techniques 130 
T1573.001
Details MITRE ATT&CK Techniques 99 
T1132.001
Details MITRE ATT&CK Techniques 152 
T1090
Details MITRE ATT&CK Techniques 422 
T1041
Details Url 3 
https://journalide.org/djour.php
Details Yara rule 2 
import "pe"

rule RichHeaders_Lazarus_NukeSped_IconicPayloads_3CX_Q12023 {
	meta:
		description = " Rich Headers-based rule covering the IconicLoader and IconicStealer from the 3CX supply chain incident, and also payloads from the cryptocurrency campaigns from 2022-12"
		author = "ESET Research"
		date = "2023-03-31"
		hash = "3B88CDA62CDD918B62EF5AA8C5A73A46F176D18B"
		hash = "CAD1120D91B812ACAFEF7175F949DD1B09C6C21A"
		hash = "5B03294B72C0CAA5FB20E7817002C600645EB475"
		hash = "7491BD61ED15298CE5EE5FFD01C8C82A2CDB40EC"
	condition:
		pe.rich_signature.toolid(259, 30818) == 9 and pe.rich_signature.toolid(256, 31329) == 1 and pe.rich_signature.toolid(261, 30818) >= 30 and pe.rich_signature.toolid(261, 30818) <= 38 and pe.rich_signature.toolid(261, 29395) >= 134 and pe.rich_signature.toolid(261, 29395) <= 164 and pe.rich_signature.toolid(257, 29395) >= 6 and pe.rich_signature.toolid(257, 29395) <= 14
}