216.73.217.139

Analysis of the attack activities of APT-C-26 (Lazarus) using weaponized IPMsg software

· Published 02/01/2025 15:25 · Modified 02/01/2025 15:31

Export JSON

Essential information

Published
02/01/2025 15:25
Modified
02/01/2025 15:31
Tags
2025-01-02 apt att_loader_dll.dll backdoor c2 communication data theft dll64.dll ipmsg loader1.dll social engineering weaponized installer
Related entities
3 observables, 1 intrusion sets (apt), 11 techniques (mitre), 3 malware

Description

The Lazarus group, a highly active organization, has been observed weaponizing the installer for attacks. When executed, the malicious installer releases the official version 5.6.18.0 to deceive users while activating a malicious DLL in memory. This DLL connects to a remote control server to download programs and steal sensitive information. The attack showcases Lazarus' skills, effectively inducing users to execute malicious programs. The report details the attack process, payload analysis, and communication with the command and control server. The group's use of the domain cryptocopedia.com for C2 communications, along with similar URL patterns and TTPs, strongly suggests Lazarus' involvement in this campaign.

External references