Rewterz Threat Alert – Lazarus APT Group – Active IOCs

Severity

High

Analysis Summary

Lazarus APT is a notorious advanced persistent threat (APT) group associated with North Korea, operating since at least 2009. The threat actors are suspected of being behind a number of diverse efforts, including cyber espionage, and attacks on financial institutions, government agencies, and the military. They are known for conducting financially motivated attacks against various targets, including banks, cryptocurrency exchanges, and other financial institutions. The recent campaign involves a file name “OKX Binance & Huobi VIP fee comparision.xls,” which appears to be a malicious document designed to infect victims’ computers with malware. It is possible that the Lazarus APT group is using this file as part of a phishing campaign to target individuals associated with cryptocurrency exchanges like OKX, Binance, and Huobi. 

The Lazarus Group is a highly sophisticated and well-funded organization and is considered to be one of the most significant threats to organizations and individuals in the cyber security landscape. To protect against Lazarus APT and similar threats, it is important to regularly update software and security patches, implement multi-factor authentication, be cautious when opening emails and attachments, and regularly back up important data.

Impact

• Information Theft and Espionage
• Exposure of Sensitive Data

Indicators of Compromise

Domain Name

• share.googlefiledrive.com
• googlefiledrive.com

MD5

• 292fbbf7e2ab20b12f4f2c0464a5b774

SHA-256

• 69ef7c4cb3849283c03eaa593b02ebbfd1d08d25ef9a58355d2a9909678d6c6d

SHA-1

• d21add8bee4feefe812b0c16a6a541bbdec14263

URL

https://bit.ly/2HiQrJo

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.