Analysis of the attack activities of APT-C-26 (Lazarus) using weaponized IPMsg software
Jan. 2, 2025, 3:31 p.m.
Tags
External References
Description
The Lazarus group, a highly active APT organization, has been observed weaponizing the IPMsg installer for attacks. When executed, the malicious installer releases the official IPMsg version 5.6.18.0 to deceive users while activating a malicious DLL in memory. This DLL connects to a remote control server to download backdoor programs and steal sensitive information. The attack showcases Lazarus' social engineering skills, effectively inducing users to execute malicious programs. The report details the attack process, payload analysis, and communication with the command and control server. The group's use of the domain cryptocopedia.com for C2 communications, along with similar URL patterns and TTPs, strongly suggests Lazarus' involvement in this campaign.
Date
Published: Jan. 2, 2025, 3:25 p.m.
Created: Jan. 2, 2025, 3:25 p.m.
Modified: Jan. 2, 2025, 3:31 p.m.
Indicators
33be1a646e5ed46aa707455637e2116715592d1ef63feafb0fd2f66c872a634d
https://cryptocedia.com/upgrade/latest.asp
cryptocedia.com
Attack Patterns
Dll64.dll
Loader1.dll
ATT_Loader_DLL.dll
APT-C-26 (Lazarus)
T1568
T1102.002
T1132.001
T1573.001
T1571
T1095
T1204.002
T1055
T1036
T1140
T1027