Analysis of the attack activities of APT-C-26 (Lazarus) using weaponized IPMsg software
Jan. 2, 2025, 3:31 p.m.
Description
The Lazarus group, a highly active APT organization, has been observed weaponizing the IPMsg installer for attacks. When executed, the malicious installer releases the official IPMsg version 5.6.18.0 to deceive users while activating a malicious DLL in memory. This DLL connects to a remote control server to download backdoor programs and steal sensitive information. The attack showcases Lazarus' social engineering skills, effectively inducing users to execute malicious programs. The report details the attack process, payload analysis, and communication with the command and control server. The group's use of the domain cryptocopedia.com for C2 communications, along with similar URL patterns and TTPs, strongly suggests Lazarus' involvement in this campaign.
Tags
Date
- Created: Jan. 2, 2025, 3:25 p.m.
- Published: Jan. 2, 2025, 3:25 p.m.
- Modified: Jan. 2, 2025, 3:31 p.m.
Indicators
- 33be1a646e5ed46aa707455637e2116715592d1ef63feafb0fd2f66c872a634d
- https://cryptocedia.com/upgrade/latest.asp
- cryptocedia.com
Attack Patterns
- Dll64.dll
- Loader1.dll
- ATT_Loader_DLL.dll
- APT-C-26 (Lazarus)
- T1568
- T1102.002
- T1132.001
- T1573.001
- T1571
- T1095
- T1204.002
- T1055
- T1036
- T1140
- T1027