Validin’s DNS history and host-response data are used to expand Lazarus Group indicators from known domains to current infrastructure with high confidence. The article demonstrates subdomain history, IP pivots, and a certificate hash to uncover 8 IP addresses and 29 apex domains linked to Lazarus Group, emphasizing meeting-themed domains used in phishing. #LazarusGroup #APT38 #SonyPicturesEntertainment #Validin #DNSHistory
Keypoints
- Lazarus Group (APT38) is a North Korean threat actor known for phishing, impersonation, and meeting-themed domain names in its operations.
- The analysis starts from a reported Lazarus-associated domain and expands indicators using Validin’s DNS history to find related domains and IPs.
- Initial subdomains for roomconnect.online revealed two early IPs (104.168.137.21 and 104.168.203.159) before June 2024.
- After a gap ending June 24, 2024, the subdomains began resolving to a new IP (104.168.157.45), with apex domain behavior differing from subdomains.
- Wildcard DNS behavior and a wildcard certificate are observed, suggesting attackers can use virtually any subdomain without explicit overrides.
- Pivoting on IPs and a certificate hash (SHA1 8edc64bd3deaa4397af5453aee893fa6704dfabf) reveals additional related domains and host connections, boosting association confidence.
- Ultimately, the process identifies 8 potentially current Lazarus-related IPs and 29 apex domains with high confidence, including many meeting-themed domains.
MITRE Techniques
- [T1566.001] Phishing – The Lazarus Group uses phishing and impersonation tactics, including meeting-themed domain names in phishing attempts. “Lazarus Group uses phishing and impersonation tactics to deceive its victims and is known for using meeting-themed domain names in its phishing attempts.”
- [T1583.001] Acquire Infrastructure: Domains – Researchers pivot from known Lazarus indicators to a broader set of domains (apex and subdomains) to map infrastructure. “we uncovered 8 IP addresses that appear currently or recently associated with Lazarus Group, and 29 apex domains that we have high confidence are Lazarus-associated”
- [T1583.002] Acquire Infrastructure: IP Addresses – The analysis identifies multiple IPs associated with Lazarus subdomains, expanding infrastructure coverage. “The subdomains … used two IP addresses before June 2024: 104.168.137.21 and 104.168.203.159”
- [T1071.004] Application Layer Protocol: DNS – Historic DNS data is used to discover current and recent domain names and IPs, illustrating DNS as a channel for infrastructure mapping. “historic DNS with detailed annotations to expand from known indicators to discover current and recent domain names and IP addresses associated with Lazarus Group with high confidence.”
Indicators of Compromise
- [Domain] apex domains – live-meeting.world, dropfile.cloud, virtual-collab.online, meeting-hub.online, docsend.online, dropfile.online, alwayswelcome.online, ubi-safemeeting.online, trustmeeting.online, meeting-central.online, meeting-pro.online, room-connect.online, internal-meet.online, general-meet.online, group-meet.online, regular-meet.online, alwayswait.online, docsend.store, docsend.site, general-meet.site, video-meet.site, group-meet.site, regular-meet.site, trustmeeting.live, online-meeting.social, internal-meet.team, general-meet.team, group-meet.team, regular-meet.team, online-meeting.community, internal-meet.xyz
- [Domain] subdomains for roomconnect.online – www.roomconnect.online, www.qjhndbrw.roomconnect.online, qjhndbrw.roomconnect.online, www.emv1.roomconnect.online, Emv1.roomconnect.online
- [IP Address] observed pivots – 104.168.137.21, 104.168.203.159, 104.168.157.45, 104.168.203.161, 104.168.165.203, 104.168.165.173, 104.168.165.165, 108.174.194.10
- [Certificate] SHA1 – 8edc64bd3deaa4397af5453aee893fa6704dfabf
Read more: https://www.validin.com/blog/hunting-lazarus-dns-history-host-responses/