{ "Event": { "analysis": "0", "date": "2019-01-14", "extends_uuid": "", "info": "2019-01-10: North Korea Lazarus Targeting REDBANC", "publish_timestamp": "1547585139", "published": true, "threat_level_id": "2", "timestamp": "1547585075", "uuid": "5c3c4a6d-15f0-4133-baff-3c2c68f8e8cf", "Orgc": { "name": "VK-Intel", "uuid": "5bfa439e-c978-4dcd-b474-73f568f8e8cf" }, "Tag": [ { "colour": "#e0b538", "local": "0", "name": "Actor: Lazarus", "relationship_type": "" }, { "colour": "#421b85", "local": "0", "name": "Ruse: Job Application", "relationship_type": "" }, { "colour": "#2133c6", "local": "0", "name": "Powershell", "relationship_type": "" }, { "colour": "#7a0e9f", "local": "0", "name": "PowerRatankba", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Trusted Relationship - T1199\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scripting - T1064\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scheduled Task - T1053\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Windows Management Instrumentation - T1047\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"New Service - T1050\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data Encoding - T1132\"", "relationship_type": "" }, { "colour": "#8aec22", "local": "0", "name": "report:5ZvWjgDgRhuD1zVgDT7-cg", "relationship_type": "" } ], "Attribute": [ { "category": "Payload installation", "comment": "Malware Hash", "deleted": false, "disable_correlation": false, "timestamp": "1547455129", "to_ids": true, "type": "sha256", "uuid": "5c3c4a99-8830-4833-81d5-3c3068f8e8cf", "value": "f12db45c32bda3108adb8ae7363c342fdd5f10342945b115d830701f95c54fa9" }, { "category": "Payload installation", "comment": "Malware Hash", "deleted": false, "disable_correlation": false, "timestamp": "1547455129", "to_ids": true, "type": "sha256", "uuid": "5c3c4a99-9a68-4e6c-a9a4-3c3068f8e8cf", "value": "0f56ebca33efe0a2755d3b380167e1f5eab4e6180518c03b28d5cffd5b675d26" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1547477647", "to_ids": true, "type": "url", "uuid": "5c3ca28f-cb88-44d1-a7ce-382d68f8e8cf", "value": "https://ecombox.store" }, { "category": "Payload installation", "comment": "apt_possible_lazarus_powerratankba_b", "deleted": false, "disable_correlation": false, "timestamp": "1547479055", "to_ids": true, "type": "yara", "uuid": "5c3ca80f-b398-47e5-b633-124a0a640c05", "value": "rule apt_possible_lazarus_powerratankba_b {\r\n meta:\r\n description = \"Detects possible Lazarus PowerRatankba.B from Redbanc\"\r\n author = \"@VK_Intel\"\r\n date = \"2019-01-15\"\r\n hash1 = \"db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471\"\r\n strings:\r\n $f0 = \"function EncryptDES\" fullword ascii\r\n $s0 = \"$ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden -ArgumentList\" fullword ascii\r\n $s1 = \"$respTxt = HttpRequestFunc_doprocess -szURI $szFullURL -szMethod $szMethod -contentData $contentData;\" fullword ascii\r\n $s2 = \"$cmdSchedule = 'schtasks /create /tn \\\"ProxyServerUpdater\\\"\" ascii\r\n $s3 = \"/tr \\\"powershell.exe -ep bypass -windowstyle hidden -file \" ascii\r\n $s4 = \"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\tmp' + -join \" ascii\r\n $s5 = \"$cmdResult = cmd.exe /c $cmdInst | Out-String;\" fullword ascii\r\n $s6 = \"whoami /groups | findstr /c:\\\"S-1-5-32-544\\\"\" fullword ascii\r\n condition:\r\n filesize < 500KB and $f0 and 2 of ($s*) \r\n}" }, { "category": "Payload installation", "comment": "Powershell Agent & PowerRatankba", "deleted": false, "disable_correlation": false, "timestamp": "1547493833", "to_ids": true, "type": "sha256", "uuid": "5c3ce1c9-39e4-4b59-90e4-5a350a640c05", "value": "a1f06d69bd6379e310b10a364d689f21499953fa1118ec699a25072779de5d9b" }, { "category": "Payload installation", "comment": "Powershell Agent & PowerRatankba", "deleted": false, "disable_correlation": false, "timestamp": "1547493833", "to_ids": true, "type": "sha256", "uuid": "5c3ce1c9-4d80-470f-9cfc-5a350a640c05", "value": "20d94f7d8ee2c4367443a930370d5685789762b1d11794810dc0ac6c626ad78e" }, { "category": "Network activity", "comment": "URL C2 backup", "deleted": false, "disable_correlation": false, "timestamp": "1547493895", "to_ids": true, "type": "url", "uuid": "5c3ce207-b7f0-468f-8e5a-5a330a640c05", "value": "https://bodyshoppechiropractic.com" } ] } }