• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Latest IOC’s – TrickBot
April 22, 2020
Rewterz Threat Alert – AgentTesla – IOCs
April 22, 2020

Rewterz Threat Alert – North Korean Lazarus Active Again

April 22, 2020

Severity

High

Analysis Summary

A new active sample is detected that is being linked to the Advanced Persistent Threat group from North Korea, called Lazarus or Hidden Cobra. The sample leverages template injection to execute malicious macro and drop a backdoor to a target system, meant to control the target computer remotely. It’s likely delivered via an office file detected as a Trojan dropper. Common attack methods of this group include exploiting zero-days, spearphishing, malware, disinformation, backdoors, droppers, etc. The group is a financially motivated threat actor and has been linked with major breaches over this past decade. The attack may also be exploiting two vulnerabilities in Microsoft Office; CVE-2017-11882, a memory corruption vulnerability and CVE-2017-0199, a remote code execution vulnerability.

Impact

  • Remote Code Execution
  • Unauthorized Remote Access

Indicators of Compromise

MD5

  • 26d6177ec7abf13a8500e6de4794a268
  • 4c239a926676087e31d82e79e838ced1

SHA-256

  • 34837b01c2c390477d32efc0f14d77e76094ec42402ae6509cf769c61a18fcd9
  • 34b4546e3468238702df24794e598add494beaeacf95df10af54d88b3d241e8a

SHA1

  • c096807e801d7cf978262758f2665c3be3d27e9d
  • 2bef437c6e7ed3c438d23e6cac0a7ffb9d2f3e26

Remediation

  • Block the threat indicators at their respective controls.
  • Use an updated version of Microsoft Office.
  • Do not execute untrusted files downloaded from any source.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.