Rewterz Threat Alert – Cryptocurrency Business Continued to be Targeted by Lazarus
Severity
High
Analysis Summary
Lazarus continues to attack the cryptocurrency business with enhanced capabilities.To attack macOS users, the Lazarus group has developed homemade macOS malware, and added an authentication mechanism to deliver the next stage payload very carefully, as well as loading the next-stage payload without touching the disk. In addition, to attack Windows users, they have elaborated a multi-stage infection procedure, and significantly changed the final payload.
Impact
Exposure of sensitive information
Indicators of Compromise
MD5
6588d262529dc372c400bef8478c2eec
bb66ab2db0bad88ac6b829085164cbbb
e1953fa319cc11c2f003ad0542bca822
b63e8d4277b190e2e3f5236f07f89eee
da17802bc8d3eca26b7752e93f33034b
39cdf04be2ed479e0b4489ff37f95bbe
629b9de3e4b84b4a0aa605a3e9471b31
cb56955b70c87767dee81e23503086c3
f221349437f2f6707ecb2a75c3f39145
f051a18f79736799ac66f4ef7b28594b
e35b15b2c8bb9eda8bc4021accf7038d
bb04d77bda3ae9c9c3b6347f7aef19ac
24b3614d5c5e53e40b42b4e057001770
55ec67fa6572e65eae822c0b90dc8216
c2ffbf7f2f98c73b98198b4937119a18
a9e960948fdac81579d3b752e49aceda
3efeccfc6daf0bf99dcb36f247364052
8b4c532f10603a8e199aa4281384764e
be37637d8f6c1fbe7f3ffc702afdfe1d
267a64ed23336b4a3315550c74803611
055829e7600dbdae9f381f83f8e4ff36
6058368894f25b7bc8dd53d3a82d9146
URL
https[:]//www[.]wb-botorg/certpkg[.]php
http[:]//95[.]213[.]232170/ProbActive/index[.]do
http[:]//beastgoccom/grepmonux[.]php
https[:]//unioncryptovip/update
Remediation
Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the links/attachments sent by unknown senders.