APT Lazarus: Eager Crypto Beavers, Video calls and Games

Sept. 9, 2024, 8:25 a.m.

Description

Group-ib explored the growing threats posed by the Lazarus Group's financially-driven campaign against developers. Group-ib examined their recent Python scripts, including the CivetQ and BeaverTail malware variants, along with their updated versions in Windows and Python releases. Additionally, they analyzed their tactics, techniques, and indicators of compromise.

External References

https://www.group-ib.com/blog/apt-lazarus-python-scripts/
https://otx.alienvault.com/pulse/66dea98c7a5546e0f0c0b47a
Tags
apt
lazarus
2024-09-09
beavertail
civetq

Date

  • Created: Sept. 9, 2024, 7:53 a.m.
  • Published: Sept. 9, 2024, 7:53 a.m.
  • Modified: Sept. 9, 2024, 8:25 a.m.

Indicators

  • de6f9e9e2ce58a604fe22a9d42144191cfc90b4e0048dffcc69d696826ff7170
  • fd9e8fcc5bda88870b12b47cbb1cc8775ccff285f980c4a2b683463b26e36bf0
  • ddc4162a71f13cc39519c0f8917b960f3536c47be710bde010bb6e87afe16bc5
  • dcde59721b78e6797ee7f79c0e19c4a1c5a7806d20cbfa4a6ebb8efca189baf3
  • d8806fb404bf29e4a3941c912cbb48553ad5340e1b7195a94e6abf8d75b9102c
  • d5c0b89e1dfbe9f5e5b2c3f745af895a36adf772f0b72a22052ae6dfa045cea6
  • d502f822e6c52345227b64e3c326e2dbefdd8fc3f844df0821598f8d3732f763
  • d356a0668a0f7827d8041eaebdbc003a5b96fe0d82a353ab802dab31bdc5c323
  • ce572304131bd7c4fd34c3a919de403007c842d9c225d080b4ac31e7c8da606e
  • cd13a9c92210ada940a44769874dd6716f85c4e4e9d7323ec5789c7b253d937d
  • c373c4c2922f7ca49e2cf5670052d071b15649164ed32a321b7c6fb1a7f2ca6b
  • c19cdedf8f800d2eeccd5094d7d054dcc00a998356eeae822c14a25f0ce400f2
  • c0110cb21ae0e7fb5dec83ca90db9e250b47a394662810f230eb621b0728aa97
  • b8e69d6a766b9088d650e850a638d7ab7c9f59f4e24e2bc8eac41c380876b0d8
  • b653153a94c275f8f1156298c905b86943cb2a63c8b2211e65cf2a1a671c98d1
  • b378d389fd31c6cb65fc85ea960b609049c5f97266cafcbfc6d261fa09355cc0
  • a87b6664b718a9985267f9670e10339372419b320aa3d3da350f9f71dff35dd1
  • a6c9f8c06fdb15de26656e5e490990984634e2c1c05232d3260c29970f9dd6f3
  • 9e3a9dbf10793a27361b3cef4d2c87dbd3662646f4470e5242074df4cb96c6b4
  • 9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c
  • 9742da5b33866edb8b280fe10909f3f60bc5bf3a33e918d9889e4552f5ce25e3
  • 9110515c2d5f6f48871f0631f411d55f2f0307286e6678952f5d86abe5ce11a9
  • 887594f18cdbbae4ceef62572e813810b75c8edfb3c4971097d8f8a74f9f103c
  • 7f13ca9848086e3de9be971ea8d44ea97ec289c4565ce35b0049c8b534fccbef
  • 7e378c2f0a92c355473b2e2d25d6df9d075ccf89048f7ab10dd4d30c2243a6b1
  • 7180f5a1c2554b77b4c21a727cca65cc0f9f023f6cac05b295d7172dad07023f
  • 64b1aca7b36e662132ae60c2d2df6ea5872239d2b2632d88fdf1b1f383e0d446
  • 47e876110f5e478a739ca3ad034707c1011c89d3a73a1047d0bfa5359a9cfe4b
  • 36cac29ff3c503c2123514ea903836d5ad81067508a8e16f7947e3e675a08670
  • 306adab1769c48e09e5a637c82b6b32cd57e4895cc727860f02b558f406e7f34
  • 301678669e05064d13f1912caae530f0b23f5c83a98352e4b0b53a19128a40cf
  • 2f86acdfdf19c1719189fb121cc9391453d83989aa5c07d4144c9fb6585610cc
  • 2ed5e202190df967c06750ba11aa8486c309e21875594a68f3dff3abb01f569d
  • 2a8c90885a8bea74cfe918f3ac6b939990e5ff25434a8c70f7a67d42e03936bd
  • 24b89c77eaeebd4b02c8e8ab6ad3bd7abaa18893ecd469a6a04eda5e374dd305
  • 23b2df9ae70e592c6d82ee1aa1edd00aee982fc2df859f813224a0c908106789
  • 1be03204709c037378ae96197700148303875a99b8f14838bdabfaceed5693e4
  • 1e5d3ee4c0eb6d67f6bc812cf492c53683962252ddb6ac5285ed251ab4a48ddc
  • 14e52430f1d1fa390973294d50849ee500061758721c8e28424871812d237132
  • 0f5f0a3ac843df675168f82021c24180ea22f764f87f82f9f77fe8f0ba0b7132
  • 06384aedc3614ee73cc7319e30975fca00d43981b626ba5f2b993a254e20d818
  • 0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd
  • 0620a7fa8c6e416d96fe3d3baf4cd925b1a72ce1db8d3eacfb1e10c5fe434962
  • 01b7306554f6e6bac63f5524588ff5c880b5afb4394074d1c132ecc554c72c83
  • 0049e2f4f746aa0ec1713cb83dbf8e30d535c01e7b7f10133ae14da0c6a68d69
  • 000b4a77b1905cabdb59d2b576f6da1b2ef55a0258004e4a9e290e9f41fb6923
  • 95.164.17.24
  • 45.61.160.14
  • 45.140.147.208
  • 23.106.253.194
  • 185.235.241.208
  • 172.86.98.240
  • 172.86.98.143
  • 172.86.97.80
  • 172.86.123.35
  • 167.88.36.13
  • 167.88.168.24
  • 167.88.168.152
  • 147.124.214.129
  • 147.124.213.11
  • 147.124.213.29
  • 147.124.212.89
  • 147.124.212.146
  • 144.172.79.23
  • 144.172.74.48
  • 91.92.120.135
  • 67.203.7.245
  • 45.61.169.187
  • 45.61.131.218
  • 147.124.214.237
  • 77.37.37.81
  • 67.203.7.171
  • 173.211.106.101
  • 147.124.214.131
  • http://regioncheck.net
  • http://mirotalk.net
  • http://ipcheck.cloud
  • http://freeconference.io
  • http://45.61.130.0
  • http://45.61.129.255
  • regioncheck.net
  • mirotalk.net
  • ipcheck.cloud
  • freeconference.io
  • blocktestingto.com
Download all indicators here!

Attack Patterns

  • CivetQ
  • BeaverTail
  • Lazarus Group
  • T1555.005
  • T1555.001
  • T1608.001
  • T1059.006
  • T1555.003
  • T1115
  • T1571
  • T1547.001
  • T1059.007
  • T1056.001
  • T1071.001
  • T1543.001
  • T1204.002
  • T1082
  • T1105
  • T1543
  • T1132
  • T1033
  • T1560
  • T1566