Threat Research

A detailed analysis of Lazarus APT malware disguised as Notepad++ Shell Extension

Securonix

Lazarus targeted Boeing job-seekers using a lure document, Boeing BDS MSE.docx, to deliver a DLL that mimics legitimate Notepad++ functionality. The malware exfiltrates system and process information to four C2 servers after compression, XOR encryption, and Base64 encoding, and can download, load, and execute payloads or shellcode. Hashtags: #Lazarus #NotepadShellExtension #NotepadPlusPlusShellExtension #Boeing #LockheedMartin #BAESystems #ManteLi #bmanal #shopandtravelusa #industryinfostructure

Keypoints

  • The Lazarus operation targeted Boeing job seekers with a lure document named Boeing BDS MSE.docx.
  • The malware collects host and process information (hostname, username, network info, list of processes) for exfiltration.
  • Data exfiltration is compressed, XOR‑encrypted, and Base64‑encoded before transmission to C2 servers.
  • The Trojan supports four main actions: download/execute binaries, load a PE into memory, and run shellcode.
  • Anti‑analysis checks use isProcessorFeaturePresent; if fastfail isn’t available, the process terminates.
  • The sample is a DLL with exports; only one export (DllGetFirstChild) is malicious, mimicking legitimate Notepad++ shell extension behavior.
  • C2 communication occurs over HTTP/HTTPS using WinINet; four potential C2 servers are decrypted from a parameter and one is chosen at random.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – ‘downloading and executing a .exe or .dll file.’
  • [T1055] Process Injection – ‘loading a PE (Portable Executable) into the process memory, and executing shellcode.’
  • [T1218.011] Rundll32 – ‘Rundll32.exe is used to execute the DLL file (an export function can also be specified in the command line)’.
  • [T1082] System Information Discovery – ‘The malware extracts the hostname, username, network information, a list of processes, and other information’.
  • [T1016] System Network Configuration Discovery – ‘The NetBIOS name of the local computer is extracted via a function call to GetComputerNameW’.
  • [T1057] Process Discovery – ‘a list of processes’.
  • [T1027] Obfuscated/Compressed Files and Information – ‘data targeted for exfiltration is compressed, XOR-encrypted and then Base64-encoded before being transmitted to the C2 server.’
  • [T1140] Deobfuscation/Decode – ‘The binary decrypts the above parameter using a custom algorithm.’
  • [T1041] Exfiltration Over C2 Channel – ‘HttpSendRequestW is used to exfiltrate data to the C2 server’.
  • [T1071.001] Web Protocols – ‘The DLL opens an HTTP session to the C2 server on port 443’ and related HTTP calls.
  • [T1497] Virtualization/Sandbox Evasion – ‘anti-analysis check… isProcessorFeaturePresent… If this feature is not supported, the current process is terminated’.

Indicators of Compromise

  • [Hash] SHA256 – 803dda6c8dc426f1005acdf765d9ef897dd502cd8a80632eef4738d1d7947269
  • [Domain] C2 Domains – bmanal.com, shopandtravelusa.com, industryinfostructure.com
  • [URL] Web URLs – mante.li/images/draw.php, bmanal.com/images/draw.php, shopandtravelusa.com/vendor/monolog/monolog/src/Monolog/monolog.php, industryinfostructure.com/templates/worldgroup/view.php

Read more: https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/