Is Lazarus/APT38 Targeting Critical Infrastructures ?
Common Information
Type Value
UUID effead6a-c586-45a7-9e82-ce0b7756522e
Fingerprint 612282364f1e631
Analysis status DONE
Considered CTI value 2
Text language
Published Nov. 4, 2019, 6:45 a.m.
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Dec. 24, 2024, 9:47 a.m.
Headline Is Lazarus/APT38 Targeting Critical Infrastructures ?
Title Is Lazarus/APT38 Targeting Critical Infrastructures ?
Detected Hints/Tags/Attributes 45/2/19
Attributes
Details Type #Events CTI Value
Details Domain 1
pti.name
Details Domain 1
sm.name
Details File 1
77fdd3eamt.tmp
Details File 2
execute_%s.log
Details File 1
ccs_shell32.dll
Details File 1
%s.bmp
Details File 1
ccs_kernel32.dll
Details File 1
ccs_advapi32.dll
Details md5 1
75171549224b4292974d6ee3cf397db8
Details sha256 5
bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364
Details sha256 4
3cc9d9a12f3b884582e5c4daf7d83c4a510172a836de90b87439388e3cde3682
Details sha256 4
93a01fbbdd63943c151679d037d32b1d82a55d66c6cb93c40ff63f2b770e5ca9
Details sha256 4
a0664ac662802905329ec6ab3b3ae843f191e6555b707f305f8f5a0599ca3f68
Details sha256 4
c5c1ca4382f397481174914b1931e851a9c61f029e6b3eb8a65c9e92ddf7aa4c
Details IPv4 1
192.168.56.2
Details IPv4 2
10.38.1.35
Details IPv4 1578
127.0.0.1
Details Threat Actor Identifier - APT 178
APT38
Details Yara rule 1
import "pe"

rule lazarus_dtrack {
	meta:
		description = "lazarus - dtrack on nuclear implant KKNPP"
		date = "2019-11-02"
		hash1 = "bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364"
	strings:
		$x1 = "move /y %s \\\\10.38.1.35\\C$\\Windows\\Temp\\MpLogs\\" ascii fullword
		$x2 = "Execute_%s.log" ascii fullword
		$x3 = "%s\\%s\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" ascii fullword
		$s4 = "CCS_/c ping -n 3 127.0.0.1 >NUL & echo EEEE > \"%s\"" ascii fullword
		$s5 = "%s\\%s\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" ascii fullword
		$s6 = "Usage: .system COMMAND" ascii fullword
		$s7 = "Usage: .dump ?--preserve-rowids? ?--newlines? ?LIKE-PATTERN?" ascii fullword
		$s8 = "CCS_shell32.dll" ascii fullword
		$s9 = "%s:%d: expected %d columns but found %d - filling the rest with NULL" ascii fullword
		$s10 = "%s:%d: expected %d columns but found %d - extras ignored" ascii fullword
		$s11 = "%s\\%s\\AppData\\Application Data\\Mozilla\\Firefox\\Profiles" ascii fullword
		$s12 = "net use \\\\10.38.1.35\\C$ su.controller5kk /user:KKNPP\\administrator" ascii fullword
		$s13 = "VALUES(0,'memo','Missing SELFTEST table - default checks only',''),      (1,'run','PRAGMA integrity_check','ok')" ascii fullword
		$s14 = "CCS_Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" ascii fullword
		$s15 = "Usage %s sub-command ?switches...?" ascii fullword
		$s16 = "Usage: .log FILENAME" ascii fullword
		$s17 = "Content-Disposition: form-data; name=\"result\"; filename=\"%s.bmp\"" ascii fullword
		$s18 = "%z%sSELECT pti.name FROM \"%w\".sqlite_master AS sm JOIN pragma_table_info(sm.name,%Q) AS pti WHERE sm.type='table'" ascii fullword
		$s19 = "CCS_kernel32.dll" ascii fullword
		$s20 = "CCS_Advapi32.dll" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 2000KB and (pe.imphash() == "75171549224b4292974d6ee3cf397db8" or (1 of ($x*) or 4 of them))
}