Lazarus supply‑chain attack in South Korea | WeLiveSecurity
Tags
cmtmf-attack-pattern: Application Layer Protocol Boot Or Logon Autostart Execution Compromise Infrastructure Develop Capabilities Masquerading Obfuscated Files Or Information Obtain Capabilities Process Injection Supply Chain Compromise
country: North Korea South Korea Thailand Poland
maec-delivery-vectors: Watering Hole
attack-pattern: Data Application Layer Protocol - T1437 Boot Or Logon Autostart Execution - T1547 Code Signing - T1553.002 Code Signing Certificates - T1587.002 Code Signing Certificates - T1588.003 Compromise Infrastructure - T1584 Compromise Software Supply Chain - T1195.002 Compromise Software Supply Chain - T1474.003 Develop Capabilities - T1587 Digital Certificates - T1596.003 Digital Certificates - T1587.003 Digital Certificates - T1588.004 Dynamic Resolution - T1637 Dynamic Resolution - T1568 Encrypted Channel - T1521 Encrypted Channel - T1573 Exfiltration Over C2 Channel - T1646 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Obfuscated Files Or Information - T1406 Native Api - T1575 Obtain Capabilities - T1588 Phishing - T1660 Phishing - T1566 Process Injection - T1631 Security Support Provider - T1547.005 Server - T1583.004 Server - T1584.004 Software - T1592.002 Software Packing - T1027.002 Software Packing - T1406.002 Subvert Trust Controls - T1632 Subvert Trust Controls - T1553 Supply Chain Compromise - T1474 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 Web Protocols - T1071.001 Web Protocols - T1437.001 Tool - T1588.002 Standard Application Layer Protocol - T1071 Code Signing - T1116 Execution Through Api - T1106 Exfiltration Over Command And Control Channel - T1041 Masquerading - T1036 Obfuscated Files Or Information - T1027 Process Injection - T1055 Security Support Provider - T1101 Software Packing - T1045 Supply Chain Compromise - T1195 Masquerading Supply Chain Compromise
Common Information
Type Value
UUID d65dde53-818e-490c-93b6-3c88c281c636
Fingerprint 87008b58e761ab9e
Analysis status DONE
Considered CTI value 2
Text language
Published Nov. 16, 2020, 11:30 a.m.
Added to db Feb. 17, 2023, 10:46 p.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline Lazarus supply‑chain attack in South Korea
Title Lazarus supply‑chain attack in South Korea | WeLiveSecurity
Detected Hints/Tags/Attributes 141/4/98
Attributes
Details Type #Events CTI Value
Details Domain 114
eset.com
Details Domain 1
nukesped.fo
Details Domain 1
nukesped.cv
Details Domain 1
nukesped.dk
Details Domain 1
www.ikrea.or.kr
Details Domain 1
www.fored.or.kr
Details Domain 1
www.zndance.com
Details Domain 1
www.cowp.or.kr
Details Domain 1
www.style1.co.kr
Details Domain 1
www.erpmas.co.kr
Details Domain 1
www.wowpress.co.kr
Details Domain 1
www.quecue.kr
Details Domain 1
www.pcdesk.co.kr
Details Domain 1
www.gongsinet.kr
Details Domain 1
www.goojoo.net
Details Domain 1
www.pgak.net
Details Domain 1
www.gncaf.or.kr
Details Domain 1
www.hsbutton.co.kr
Details Domain 1
www.hstudymall.co.kr
Details Domain 9
www.operationblockbuster.com
Details Domain 154
us-cert.cisa.gov
Details Email 69
threatintel@eset.com
Details File 1
delfino.exe
Details File 1
magiclinenpiz.exe
Details File 1
c:\windows\softwaredistribution\download\bit388293.tmp
Details File 2
perf91nc.inf
Details File 1
assocnet.inf
Details File 1
nwsapagentmonsvc.dll
Details File 1
btserv.dll
Details File 1
iasregmonsvc.dll
Details File 1
%temp%\services_dll.log
Details File 1
%temp%\server_dll.log
Details File 1
magiclinenpiz.gif
Details File 1
delfino.gif
Details File 1
bit388293.tmp
Details File 70
e.doc
Details File 1
nukesped.ep
Details File 1
main_board.asp
Details File 73
view.php
Details File 2
post.asp
Details File 6
main.asp
Details File 13
view.asp
Details File 1
franchise_modify.asp
Details File 1
refuse_05.asp
Details File 1
ex_join.asp
Details File 1
mn_board.asp
Details File 1
comm_gongsi.asp
Details File 1
banner01.asp
Details File 2
release.asp
Details File 1
cafe_board.asp
Details File 1
bbs_write.asp
Details File 3
bottom.asp
Details File 1122
svchost.exe
Details md5 1
7DCD340D84F762EBA80AA538B0C527F7
Details md5 1
4C8DEF294478B7D59EE95C61FAE3D965
Details sha1 1
3d311117d09f4a6ad300e471c2fb2b3c63344b1d
Details sha1 1
3abfec6fc3445759730789d4322b0be73dc695c7
Details sha1 1
1ea7481878f0d9053ccd81b4589cecaefc306cf2
Details sha1 1
cb818be1fce5393a83fbfcb3b6f4ac5a3b5b8a4b
Details sha1 1
5ce3cdfb61f3097e5974f5a07cf0bd2186585776
Details sha1 1
fac3fb1c20f2a56887bdba892e470700c76c81ba
Details sha1 1
aa374fa424cc31d2e5ec8ece2ba745c28cb4e1e8
Details sha1 1
e50ad1a7a30a385a9d0a2c0a483d85d906ef4a9c
Details sha1 1
dc72d464289102caaf47ec318b6110ed6af7e5e4
Details sha1 1
9f7b4004018229fad8489b17f60aadb3281d6177
Details sha1 1
2a2839f69ec1ba74853b11f8a8505f7086f1c07a
Details sha1 1
8edb488b5f280490102241b56f1a8a71ebeef8e3
Details MITRE ATT&CK Techniques 21
T1584.004
Details MITRE ATT&CK Techniques 96
T1587.001
Details MITRE ATT&CK Techniques 33
T1588.003
Details MITRE ATT&CK Techniques 36
T1195.002
Details MITRE ATT&CK Techniques 239
T1106
Details MITRE ATT&CK Techniques 3
T1547.005
Details MITRE ATT&CK Techniques 348
T1036
Details MITRE ATT&CK Techniques 160
T1027.002
Details MITRE ATT&CK Techniques 440
T1055
Details MITRE ATT&CK Techniques 55
T1553.002
Details MITRE ATT&CK Techniques 442
T1071.001
Details MITRE ATT&CK Techniques 130
T1573.001
Details MITRE ATT&CK Techniques 422
T1041
Details Url 1
http://www.ikrea.or.kr/main/main_board.asp
Details Url 1
http://www.fored.or.kr/home/board/view.php
Details Url 1
https://www.zndance.com/shop/post.asp
Details Url 1
http://www.cowp.or.kr/html/board/main.asp
Details Url 1
http://www.style1.co.kr/main/view.asp
Details Url 1
http://www.erpmas.co.kr/member/franchise_modify.asp
Details Url 1
https://www.wowpress.co.kr/customer/refuse_05.asp
Details Url 1
https://www.quecue.kr/okproj/ex_join.asp
Details Url 1
http://www.pcdesk.co.kr/freeboard/mn_board.asp
Details Url 1
http://www.gongsinet.kr/comm/comm_gongsi.asp
Details Url 1
http://www.goojoo.net/board/banner01.asp
Details Url 1
http://www.pgak.net/service/engine/release.asp
Details Url 1
https://www.gncaf.or.kr/cafe/cafe_board.asp
Details Url 1
https://www.hsbutton.co.kr/bbs/bbs_write.asp
Details Url 1
https://www.hstudymall.co.kr/easypay/web/bottom.asp
Details Url 1
https://www.operationblockbuster.com/resources
Details Url 2
https://us-cert.cisa.gov/northkorea
Details Windows Registry Key 4
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security