疑似Lazarus组织针对韩国的攻击活动分析
Tags
| attack-pattern: | Server - T1583.004 Server - T1584.004 |
Common Information
| Type | Value |
|---|---|
| UUID | bc305ff9-abab-457e-838b-aadde57c7825 |
| Fingerprint | 37498f429eb84e6f |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Aug. 16, 2022, midnight |
| Added to db | Jan. 16, 2023, 3:51 p.m. |
| Last updated | Nov. 17, 2024, 6:53 p.m. |
| Headline | 研究报告 |
| Title | 疑似Lazarus组织针对韩国的攻击活动分析 |
| Detected Hints/Tags/Attributes | 5/1/48 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.antiy.cn/research/notice&report/research_report/20221101.html |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 28 | dl.dropboxusercontent.com |
|
| Details | File | 2 | klec.docx |
|
| Details | File | 1 | 西江大学韩国语言教育中心.docx |
|
| Details | File | 2 | 下载恶意载荷并将其注入到winword.exe |
|
| Details | File | 2 | 下载到的恶意载荷主要用于释放下载工具ieupdate.exe |
|
| Details | File | 4 | ieupdate.exe |
|
| Details | File | 2 | 目前已知存在两种载荷hvncengine.dll |
|
| Details | File | 2 | 和shellengine.dll |
|
| Details | File | 2 | temp2.dot |
|
| Details | File | 2 | %localappdata%\microsoft\playready下释放ieupdate.exe |
|
| Details | File | 2 | 和error.log |
|
| Details | File | 2 | 之后通过fodhelper.exe |
|
| Details | File | 2 | 绕过uac提升ieupdate.exe |
|
| Details | File | 49 | error.log |
|
| Details | File | 15 | server.txt |
|
| Details | File | 2 | 恶意载荷释放的文件以及error.log |
|
| Details | File | 2 | 将ieupdate.exe |
|
| Details | File | 10 | myapp.exe |
|
| Details | File | 9 | v3l4sp.exe |
|
| Details | File | 2 | %localappdata%\microsoft\playready\ieupdate.exe |
|
| Details | File | 2 | 则关闭先前的ieupdate.exe |
|
| Details | File | 2 | 与从error.log |
|
| Details | File | 2 | 将收集到的信息发送到post2.php |
|
| Details | File | 2 | 应为ieupdate.exe |
|
| Details | File | 2 | hvncengine.dll |
|
| Details | File | 2 | 首先和ieupdate.exe |
|
| Details | File | 2 | 与ieupdate.exe |
|
| Details | File | 3 | 打开explorer.exe |
|
| Details | File | 2 | 启动chrome.exe |
|
| Details | File | 2 | shellengine.dll |
|
| Details | File | 2 | 创建管道用于与cmd.exe |
|
| Details | File | 2 | 并将cmd.exe |
|
| Details | File | 2 | 获取cmd.exe |
|
| Details | File | 2 | 重启cmd.exe |
|
| Details | File | 2 | 进程或者通过cmd.exe |
|
| Details | File | 2 | 又根据模板文件中包含的vba代码以及ieupdate.exe |
|
| Details | File | 2 | 与shellengine.dll |
|
| Details | File | 2 | 带有恶意宏的模板文件和ieupdate.exe |
|
| Details | File | 2 | 通过fodhelper.exe |
|
| Details | File | 2 | 注入到winword.exe |
|
| Details | File | 1 | 样本还利用fodhelper.exe |
|
| Details | md5 | 2 | f1a61ee026eac8583ee840d297792478 |
|
| Details | md5 | 2 | 8D7C3F3C56AD3069908901790ADFA826 |
|
| Details | md5 | 2 | c073012bc50b6a4f55f8edcce294a0b4 |
|
| Details | md5 | 2 | 5beade9f8191c6a9c47050d4e3771b80 |
|
| Details | IPv4 | 2 | 23.106.160.173 |
|
| Details | Threat Actor Identifier - APT | 144 | APT38 |
|
| Details | Url | 2 | http://23.106.160.173/temp2.dotm |