Rewterz Threat Alert – Lazarus APT Group, Attacked as Identity Document

Severity

High

Analysis Summary

A new malicious HWP document has been discovered today, while the activities of the Lazarus group, one of the leading hacking organizations sponsored by the government, continue to be captured.

The file name of this document is ‘(Required) Subcontractor Statement .hwp’ , and the production date is July 12, 2019. the type of document is aimed at the outsourcing staff of a particular company.

And it is similar to the ‘ investment contract_20190619.hwp’ attack code, but there is one more feature to add code obfuscation.

‘(Required) Subcontractor’s personal statement .hwp’ Malicious documents also appear to have been used by the same Lazarus threat group , and include the following malicious postscripts:

When the document is run, malicious code will work, depending on the vulnerability, while showing the following normal text:

If you look at the content, it contains a template for a new financial statement from a specific financial related subcontractor.

PostScript has the following hexadecimal code encrypted with XOR logic:

Impact

File encryption

Indicators of Compromise

URLs

• https[:]//technokain[.]com/ads/adshow1[.]dat
• https[:]//technokain[.]com/ads/adshow2[.]dat
• https[:]//www[.]adhyatmikpunarjagran[.]org/wp-includes/Text/about[.]php
• https[:]//www[.]payngrab[.]com/wordpress/wp-content/plugins/megamenu/about[.]php
• https[:]//www[.]weeklyexperts[.]com/wp-content/plugins/revslider/about[.]php

Filename

• (Required) Subcontractor Statement .hwp
• investment contract_20190619.hwp
• the system porting agreement (modified) .hwp

Malware Hash (MD5/SHA1/SH256)

• 28ef91c65dc459592d02a198b0a446f0
• a53446de32556f2a496f8d7e78cd4249
• ef118025c43889f0fb9d5c816e815981
• f79cc1ab1b4f0d18eba0bd3899edcf44

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Update to the latest Microsoft office version.