FOCUS MODE
EXTRACT IOC
Threat Research

Unpacking APT38: Static and Dynamic Analysis of Lazarus Group Malware

iocOne
Unpacking APT38: Static and Dynamic Analysis of Lazarus Group Malware
This analysis of the APT38 malware highlights the sophisticated methods used by the Lazarus Group, emphasizing the malware’s malicious capabilities and behaviors, such as process injection and command and control operations. The findings indicate the need for immediate security measures against such threats. Affected: Windows, Linux, macOS, financial institutions, government agencies, corporate networks

Keypoints :

  • The malware analyzed is linked to the Lazarus Group, a state-sponsored APT associated with North Korea.
  • Malware name is 875b0cbad25e04a255b13f86ba361b58453b6f3c5cc11aca2db573c656e64e24.exe.
  • Dynamic and static analyses revealed various malicious behaviors, including registry modifications and suspicious network communication.
  • High entropy scores suggest packing and obfuscation techniques to evade detection.
  • Indicators of Compromise (IOCs) were extracted for detection and mitigation strategies.
  • Recommendations include immediate disconnection from networks, blocking C2 endpoints, and conducting thorough system scans.
  • The malware’s presence in the system ensures it can create processes, modify registries, and attempt to exfiltrate data.

MITRE Techniques :

  • Process Injection (T1055) – The malware uses CreateProcess to create new processes, indicating process injection capabilities.
  • Registry Run Keys / Startup Folder (T1060) – Modifications to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun ensure persistence.
  • Command and Control (C2) (T1071) – Established connections to C2 server at 211.239.117.117 and attempted HTTP communication to http://www.addfriend.kr.
  • Data Encrypted (T1022) – The malware exhibited encrypted communication methods while attempting to exfiltrate data.
  • Obfuscated Files or Information (T1027) – High entropy analysis indicates possible custom packing techniques used to hide their intent.

Indicator of Compromise :

  • [File Hash] SHA256: 875B0CBAD25E04A255B13F86BA361B58453B6F3C5CC11ACA2DB573C656E64E24
  • [File Hash] MD5: 15DC6A28B875B4706BCC0DB4A026AEB0
  • [Domain] www.addfriend.kr
  • [IP Address] 211.239.117.117
  • [URL] http://www.addfriend.kr/board/userfiles/temp/index.html

Full Story: https://medium.com/@InfoSecDion/unpacking-apt38-static-and-dynamic-analysis-of-lazarus-group-malware-d2828e0fd6f0?source=rss——malware-5

Views: 27

Tags: APT, FINANCIAL, WINDOWS, PHISHING, MACOS, PRIVILEGE, EDR, CRYPTO