One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 740332 |
| Date de publication | 2018-06-22 14:41:00 (vue: 2018-07-11 17:02:48) |
| Titre | Malicious Documents from Lazarus Group Targeting South Korea |
| Texte |
By Chris Doman, Fernando Martinez and Jaime Blasco
We took a brief look at some documents recently discussed and reviewed by researchers in South Korea over the past week. The malware is linked to Lazarus, a reportedly North Korean group of attackers. One malicious document appears to be targeting members of a recent G20 Financial Meeting, seeking coordination of the economic policies between the wealthiest countries. Another is reportedly related to the recent theft of $30 million from the Bithumb crypto-currency exchange in South Korea.
This article stands very much on the shoulders of other work by researchers in South Korea. Credit for initially identifying these documents goes to @issuemakerslab, @_jsoo_ and others.
Malicious Documents
We looked at three similar malicious documents:
국제금융체제 실무그룹 회의결과.hwp ("Results of the international financial system working group meeting") - cf09201f02f2edb9c555942a2d6b01d4
금융안정 컨퍼런스 개최결과.hwp ("Financial Stability Conference held") - 69ad5bd4b881d6d1fdb7b19939903e0b
신재영 전산담당 경력.hwp (“[Name] Computer Experience”) - 06cfc6cda57fb5b67ee3eb0400dd5b97
The decoy document, mentioning the G20 International Financial Architecture Working Group Meeting
The decoy document of a resume
These are Hangul Word Processor (“HWP”) files - a South Korean document editor. The HWP files contain malicious postscript code to download either a 32 or 64 bit version of the next stage from:
https://tpddata[.]com/skins/skin-8.thm - eb6275a24d047e3be05c2b4e5f50703d - 32 bit
https://tpddata[.]com/skins/skin-6.thm - a6d1424e1c33ac7a95eb5b92b923c511 - 64 bit
The malware is Manuscrypt (previously described by McAfee and |
| Notes | |
| Envoyé | Oui |
| Condensat | 028xmz 2813c0ebcacdcf9052f71d51c81e9c52a16b9a69f8981b2c74eab236524ff4b9 2f4a958b148bef4be10780e8128860cdca21ec26537f51cec8960a9e019aa1f0 33cow 3cde54dce88a4544bf5ffa36066a184958d4ff74c2e0ce32fdbf91729c0f574e 4838f85499e3c68415010d4f19e83e2c9e3f2302290138abe79c380754f97324 485f77e5d32de5dc05510743025a75af5b6f714e930e22098490b7afb71b737f 51up 530hr 58a97c2c731cdf045f26ccc7cba370bd2dfee277a9c43c0421c53593e493f7bc 5b1663d5eb565caccca188b6ff8a36291da32f368211e6437db339ce2dc2e9cd 7985af0a87780d27dc52c4f73c38de44e5ad477cb78b2e8e89708168fbc4a882 927120588e6c4e5db5b5a1ea9914cd78a0fa0c9fb558726604747de672c6adf3 96fbdf01557c3ec89b345c57ae5d9a0b7251dd8d5a707f7353dd733274c6eb6 97nb afba8105793b635d4ed7febdae4b744826ca8b2381c1b85f5e528bb672ed63c2 anlway ap8898 apshenyihl asp beacon bitfiniex c10363059c57c52501c01f85e3bb43533ccc639f0ea57f43bae5736a8e7a9bc8 class cnc coinmaketcape coinoen com com/ace/main com/data/common com/include/arc com/include/charset com/include/common com/include/control com/include/extend com/skins/skin com/synthpop/main conf d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3 detection documents domains domains: e498630abe9a91485ba42698a35c2a0d8e13fe5cccde65479bf3033c45e7d431 e76b3fd3e906ac23218b1fbd66fd29c3945ee209a29e9462bbc46b07d1645de2 e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292 etpro from group http http://168wangpi http://ando http://ansetech http://mileage http://www https://tpddata https://www itaddnet korea kr/common/db kr/service/s kr/smarteditor/common krb lazarus malicious marmarademo net net/include/arc network org paulkaren phishing php potentially related search sglistview shieldonline south speclist targeting thm top tpddata trojan urls wifispeedcheck win32/agent wte wte/manuscrypt za/sitemap |
| Tags | |
| Stories | Wannacry Bithumb APT 38 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.