Share this page!

ESET research Profile picture
Twitter logo
10 Nov, 5 tweets, 3 min read
#ESETresearch discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group. Attackers bundled the original IDA Pro 7.5 software developed by @HexRaysSA with two malicious components. @cherepanov74 1/5
Attackers replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL. The malicious win_fw.dll creates a Windows scheduled task that starts a second malicious component, idahelper.dll, from the IDA plugins folder. 2/5
Once started, the idahelper.dll attempts to download and execute a next-stage payload from https://www[.]devguardmap[.]org/board/board_read.asp?boardid=01 3/5
Based on the domain and trojanized application, we attribute this malware to known Lazarus activity, previously reported by Google’s Threat Analysis Group and Microsoft:
blog.google/threat-analysi…

microsoft.com/security/blog/…
4/5
IoCs
📄:
win_fw.dll A8EF73CC67C794D5AA860538D66898868EE0BEC0
idahelper.dll DE0E23DB04A7A780A640C656293336F80040F387
🚨:
Win32/NukeSped.KZ
Win64/NukeSped.JS
🌐:
devguardmap[.]org
#ESETresearch 5/5

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ESET research

ESET research Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ESETresearch

ESET research Profile picture
8 Oct
#ESETresearch analyzed #FontOnLake, a previously unknown #malware family that utilizes custom and well-designed modules, targeting #Linux systems.
welivesecurity.com/2021/10/07/fon…
@HrckaVladislav 1/6
Modules are under development and provide #remoteaccess to the operators, collect credentials + serve as a proxy server. To do this, #FontOnLake uses modified legitimate binaries adjusted to load further components, its presence is always accompanied by a #rootkit. 2/6
The sneaky nature of #FontOnLake tools, along with advanced design and low prevalence suggest usage in targeted attacks. #ESETresearch believes its operators are extra cautious as almost all samples seen use unique C&C servers with varying non-standard ports. 3/6
Read 6 tweets
ESET research Profile picture
7 Oct
Join #ESETresearch at #vblocalhost! Starting today, you can watch @RighardZw in a live presentation looking at internal attack scenarios and highlighting issues that have remained “foolishly ignored” for years (Thu 20:00 - 20:30 UTC). 1/4
On Friday, @zuzana_hromcova will walk the audience through the current landscape of IIS threats – ranging from traffic redirectors to backdoors – and share the essentials of reverse-engineering native IIS malware (Fri 17:45 - 18:15 UTC). 2/4
On demand you can watch @cherepanov74 and @Robert_Lipovsky as they guide you through the US #Sandworm indictment; @LukasStefanko will discuss the hidden cost of #Android #stalkerware. Finally, there is @RighardZw again in the panel debate. 3/4
Read 4 tweets
ESET research Profile picture
24 Aug
#ESETresearch has recently discovered a new undocumented modular backdoor, SideWalk, that was used by an APT group we named SparklingGoblin during one of its recent campaigns targeting a US-based computer retail company 🇺🇸. welivesecurity.com/2021/08/24/sid… @passil_t @mathieutartare 1/6
SideWalk is a modular backdoor that can dynamically load additional modules sent from the C&C server, makes use of Google Docs as a dead drop resolver, and @Cloudflare workers as a C&C server. It can also properly handle communication behind a proxy. 2/6
This backdoor shares multiple similarities with another backdoor used by the group: CROSSWALK, which FireEye was first to attribute to #APT41. This backdoor is referenced as ScrambleCross by Trend Micro 3/6
Read 6 tweets
ESET research Profile picture
30 Apr
#ESETresearch confirms that malicious digitally signed AnyDesk installers are distributed from anydesk.s3-us-west-1.amazonaws[.]com. Our telemetry shows that victims are redirected there from three attacker-controlled domains: zgnuo[.]com, clamspit[.]com and domohop[.]com. 1/4 Image
The three domains resolve to 176.111.174[.]127, 176.111.174[.]129 and 176.111.174[.]130, in the same IP range as the C&C server, 176.111.174[.]125. It seems victims, mainly located in North America, are redirected through malicious ads from different legitimate websites. 2/4
The fake installers are malicious downloaders that download a PowerShell script b.ps1 leading, in a few cases, to Cobalt Strike, as mentioned in the analysis of a past campaign: inde.nz/blog/different…. We also observed further recon activity using BloodHound and AdFind. 3/4
Read 5 tweets
ESET research Profile picture
2 Mar
We have received a lot questions about the Silver Sparrow malware for macOS after a publication by @redcanary. #ESETresearch has investigated and found that, far from speculations about nation-state malware, it is likely related to adware and pay-per-install schemes. 1/10
We have first seen Silver Sparrow in the wild early September. Our telemetry (although limited) showed under 50 instances of this threat, spread all around the globe. We have monitored the configuration file and never seen any actual payload delivered. 2/10
The fact that the configuration file is hosted in AWS S3 bucket means there is no way for the attackers to send different configuration to specific targets. S3 only supports serving static content and cannot generate a dynamic response based on IP or any request parameters. 3/10
Read 10 tweets
ESET research Profile picture
16 Nov 20
#ESETresearch discovered a supply-chain attack performed by #Lazarus APT group against South Korean 🇰🇷 internet users. @cherepanov74 @pkalnai welivesecurity.com/2020/11/16/laz… 1/7
WIZVERA VeraPort software is often used on internet banking and government websites in 🇰🇷 South Korea. The purpose of this software is to install additional security software required by some of these websites. 2/7
The attackers abused a combination of WIZVERA VeraPort software and compromised South Korean websites with VeraPort support, to deploy Lazarus malware. 3/7
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ESETresearch has new unrolls!

Check out other threads from @ESETresearch!

Read all threads by @ESETresearch

:(