Analysis of the attack activities of APT-C-26 (Lazarus) using weaponized IPMsg software

Jan. 2, 2025, 3:31 p.m.

Description

The Lazarus group, a highly active APT organization, has been observed weaponizing the IPMsg installer for attacks. When executed, the malicious installer releases the official IPMsg version 5.6.18.0 to deceive users while activating a malicious DLL in memory. This DLL connects to a remote control server to download backdoor programs and steal sensitive information. The attack showcases Lazarus' social engineering skills, effectively inducing users to execute malicious programs. The report details the attack process, payload analysis, and communication with the command and control server. The group's use of the domain cryptocopedia.com for C2 communications, along with similar URL patterns and TTPs, strongly suggests Lazarus' involvement in this campaign.

External References

https://mp.weixin.qq.com/s/XuaMRmZSomKFoaX7XrqpYA
https://otx.alienvault.com/pulse/6776afd2557ef89053bca044
Tags
backdoor
apt
social engineering
data theft
c2 communication
2025-01-02
ipmsg
dll64.dll
loader1.dll
att_loader_dll.dll
weaponized installer

Date

  • Created: Jan. 2, 2025, 3:25 p.m.
  • Published: Jan. 2, 2025, 3:25 p.m.
  • Modified: Jan. 2, 2025, 3:31 p.m.

Indicators

  • 33be1a646e5ed46aa707455637e2116715592d1ef63feafb0fd2f66c872a634d
  • https://cryptocedia.com/upgrade/latest.asp
  • cryptocedia.com
Download all indicators here!

Attack Patterns

  • Dll64.dll
  • Loader1.dll
  • ATT_Loader_DLL.dll
  • APT-C-26 (Lazarus)
  • T1568
  • T1102.002
  • T1132.001
  • T1573.001
  • T1571
  • T1095
  • T1204.002
  • T1055
  • T1036
  • T1140
  • T1027