On January 27, 2025, a sample of Lazarus malware was shared on X, identified as PEBBLEDASH, a North Korean backdoor. The malware, contained in the file iconcache.tmp.pif, establishes persistence through a registry key and communicates with a command and control (C2) server. Notable targets include South Korean companies, specifically Unison Co Ltd. Affected: South Korean companies, Unison Co Ltd, DBWorks
Keypoints :
- The malware is associated with the North Korean hacking group Lazarus.
- Sample analyzed is identified as PEBBLEDASH and shared by @smica83.
- File name of the malware is iconcache.tmp.pif with a SHA2 hash of d0a41dfe8f5b5c8ba6a5d0bdc3754543210ec2d36290564d9a774e9d22e3ad97.
- The malware is delivered through a dropper executable with PDF icon lure, named 2025λ 01μ μ€λΌν΄ μ κΈ°μ κ²(μλͺ μ).pdf.
- Targets of this attack appear to be the South Korean IT company DBWorks and wind turbine manufacturer Unison Co Ltd.
- The malware sets persistence via registry run key during execution.
- Data communication with C2 server uses specific formats for strings including hard-coded and random components.
- Includes functionalities like command execution and screenshot capturing.
MITRE Techniques :
- Persistence (T1547) β The backdoor establishes persistence via registry run key.
- Command and Control (T1071) β Communication to the C2 server via HTTP is set up.
- Data Encoding (T1132) β Response data sent to the C2 server is AES encrypted and base64-encoded.
- Execution (T1203) β Executes commands via cmd.exe and creates processes impersonating tokens.
- Collection (T1115) β Takes screenshots and saves them locally.
Indicator of Compromise :
- [File] iconcache.tmp.pif
- [Hash] SHA-256: d0a41dfe8f5b5c8ba6a5d0bdc3754543210ec2d36290564d9a774e9d22e3ad97
- [File] 2025λ 01μ μ€λΌν΄ μ κΈ°μ κ²(μλͺ μ).pdf
- [Dropper Hash] 6744ca5d49833c9b90aee0f3be39d28dec94579b028b05c647354ec5e1ab53e1
- [URL] http://www.addfriend[.]kr/board/userfiles/temp/index.html
Full Story: https://dmpdump.github.io/posts/Lazarus-Backdoor-ITLure/