Rewterz Threat Alert – Continuing Lazarus Attacks

Rewterz Threat Alert – Lazarus Mobile Malware turning devices into bots

July 16, 2019

Rewterz Threat Alert – Reemergence of Smoke Loader

July 17, 2019

Rewterz Threat Alert – Continuing Lazarus Attacks – NukeSped Sample

Severity

High

Analysis Summary

HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. new Test NukeSped sample which use LAN ip for testing. The decypt code is similar to Sony attack which happen in 2014. Threat indicators are provided.

Impact

File encryption

Indicators of Compromise

URLs

http[:]//upload[.]childu[.]co[.]kr/include/OnlyOne1[.]asp
https[:]//www[.]byucksanpaint[.]com/community/com_gon_open[.]as
https[:]//www[.]byucksanpaint[.]com/main/main4[.]asp
https[:]//www[.]keyang[.]co[.]kr/pub/editor/wa_path[.]asp

Malware Hash (MD5/SHA1/SH256)

3860487c19cbaa8500237c0c3a031bd904bd7031907c945b5d57f65bfc5c6ea2
6b90e2a3f0ad8819b5afe67bf13451c9782af26a9f2bdac3a0e042569054e5fd
aeb0b1a850b3d0ccd6ae17dc065ee2d3e4e7927e
d7a722cb4fa08a84831bd688033c2004

Remediation

Block all threat indicators at your respective controls.

Rewterz Threat Alert – Lazarus Mobile Malware turning devices into bots

Rewterz Threat Alert – Reemergence of Smoke Loader

Rewterz Threat Alert – Continuing Lazarus Attacks – NukeSped Sample

Security Operations Centers across the region

Saudi Arabia

UAE

Oman

Pakistan