Rewterz

Rewterz Threat Alert – Lazarus Mobile Malware turning devices into bots

July 16, 2019
Rewterz

Rewterz Threat Alert – Reemergence of Smoke Loader

July 17, 2019

Rewterz Threat Alert – Continuing Lazarus Attacks – NukeSped Sample

Severity

High

Analysis Summary

HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. new Test NukeSped sample which use LAN ip for testing. The decypt code is similar to Sony attack which happen in 2014. Threat indicators are provided.

Impact

File encryption

Indicators of Compromise

URLs

  • http[:]//upload[.]childu[.]co[.]kr/include/OnlyOne1[.]asp
  • https[:]//www[.]byucksanpaint[.]com/community/com_gon_open[.]as
  • https[:]//www[.]byucksanpaint[.]com/main/main4[.]asp
  • https[:]//www[.]keyang[.]co[.]kr/pub/editor/wa_path[.]asp


Malware Hash (MD5/SHA1/SH256)

  • 3860487c19cbaa8500237c0c3a031bd904bd7031907c945b5d57f65bfc5c6ea2
  • 6b90e2a3f0ad8819b5afe67bf13451c9782af26a9f2bdac3a0e042569054e5fd
  • aeb0b1a850b3d0ccd6ae17dc065ee2d3e4e7927e
  • d7a722cb4fa08a84831bd688033c2004

Remediation

Block all threat indicators at your respective controls.

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.