Discover and read the best of Twitter Threads about #Lazarus

Most recents (21)

🚨 1/ Ongoing campaign primarily targeting security researchers here on Twitter.

Possibly they are trying to exploit some vulnerability in Internet Explorer and database tools like Navicat. I haven't been able to get the malicious payload yet, but something fishy is going on 🤔 ImageImageImageImage
2/ Tweets mention things like #0day, #databreach, #Kimsuky, #Lazarus and point to a file download on pan[.]baidu[.]com, just now removed.

There is also a repo on Github with connection data and credentials to supposed DBs and Web Apps that ask to use IE 🤭 ImageImageImageImage
3/ I tried 211.143.190.233:2222, at first glance harmless, but in the code we see that it points to a rather suspicious .JS.

When we deofuscate and clean, a hidden URL appears that could load the next stage, however I could not get it (maybe geofenced or some other trick). ImageImageImageImage
Read 7 tweets
⚠️ Heads up y'all—we're seen a huge increase in the # of ultra-targeted spearphishes lately.

The most deadly one? A Google Doc share that appears to come from *someone you know* about *something you're interested in*

It won’t be flagged and looks super legit.

DO NOT CLICK! 🙏 Image
This campaign is the work of #Lazarus / #APT38 / #DangerousPassword / #T444

aka the same crew that compromised Ronin, Harmony, bZx, Bondly, EasyFi, mngr, Arthur0x, Hugh Karp, etc. etc. etc.

Their spear-phishing methods are diverse, targetted, and hard-to-detect. Image
Recent subject lines / filenames:

Fast Changes in NFT Price (Protected)
Investor Demo Day-Animoca Brands (Protected)
Jump Crypto Investment Agreement
New Credit Investment Opportunity
Spirit Blockchain Capital 2023 - Pitch Deck

Opening the file *may* result in something like: ImageImageImage
Read 10 tweets
For the last five years, I've been working on a book on the Raising of #Lazarus, today's beautiful Gospel reading from Jn 11, called "Come Forth." The book includes some images of Lazarus from art, as well as photos of current-day Bethany, Al Eizariya. The first is the oldest...
....known image of Lazarus, in the Giordani Catacombs, from the 4C.

Next is James Tissot's image, which depicts the current-day layout of the tomb with remarkable accuracy. Tissot spent months in the Holy Land in the late 19C trying to capture the landscape and peoples...
Here is an image from the "Les Très Riches Heures du Duc de Berry," a 15C prayer book, which shows Lazarus crawling out of his marble tomb. As is the tradition, someone covers his face against the "stench" reported in today's Gospel....
Read 8 tweets
1/ Today the FBI identified the North Korean hacker group Lazarus Group and APT38 as the Horizon Bridge attackers, with the hacker group using malware called 'TraderTraitor' to carry out the attack.
1/and laundered over $60 million in stolen Ether through a privacy protocol called Railgun. What are "TraderTraitor" and Railgun? @evilcos
2/ 'TraderTraitor' is Lazarus' malware that targets the cryptocurrency industry and blockchain technology primarily by luring employees of cryptocurrency-related platforms to download it.
Read 17 tweets
#ESETresearch has discovered #Lazarus attacks against targets in 🇳🇱 and 🇧🇪, spreading via spearphishing emails and exploiting the CVE-2021-21551 vulnerability to disable the monitoring of all security solutions on compromised machines @pkalnai welivesecurity.com/2022/09/30/ama…
@pkalnai The attack started with spearphishing emails connected to fake job offers, targeting an aerospace company in the Netherlands, and a political journalist in Belgium. The attackers then deployed a VMProtect-ed version of #BLINDINGCAN, a fully featured HTTP(S) backdoor. 2/6
@pkalnai Notably, the attackers used a rootkit named FudModule.dll, that modifies kernel variables and removes kernel callbacks to disable monitoring of all security solutions on the system. This is the first recorded abuse of the CVE-2021-21551 vulnerability in Dell DBUtil drivers. 3/6
Read 6 tweets
#ESETresearch #BREAKING A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil 🇧🇷. This is an instance of Operation In(ter)ception by #Lazarus for Mac. @pkalnai @dbreitenbacher 1/7
Malware is compiled for both Intel and Apple Silicon. It drops three files: a decoy PDF document Coinbase_online_careers_2022_07.pdf, a bundle FinderFontsUpdater.app and a downloader safarifontagent. It is similar to #ESETresearch discovery in May. 2/7
However, this time the bundle is signed July 21 (according to the timestamp) using a certificate issued in February 2022 to a developer named Shankey Nohria and team identifier 264HFWQH63. The application is not notarized and Apple has revoked the certificate on August 12. 3/7
Read 7 tweets
1/20 Some thoughts on the ban of #TornadoCash by OFAC:
2/20 On 8/8/22, "TORNADO CASH", tornado.cash websites + some related smart contracts were added to the list of Specially Designated Nationals + Blocked Persons (#SDN List) under the OFAC's Cyber-Related Sanctions program [CYBER2]
3/20 #CYBER2 requires US persons to block the property and interests in property of persons added to the #SDN list. CYBER2’s legal basis is Executive Order (EO) 13757 (Dec 28, 2016), which amends EO 13694 (Apr 1, 2015). home.treasury.gov/system/files/1…
Read 20 tweets
தேவசகாயம் பிள்ளை புனிதரா?? சதியா??

300 ஆண்டுகளுக்கு முன்பு வாழ்ந்த தேவசகாயம் பிள்ளை க்கு, வாடிகனால் தற்போது புனிதர் பட்டம் வழங்கப்பட்டதின் பின்னணி என்ன என்று ஆராய்ந்து பார்த்தால் புரியும், இது மிஷனரிகளின் சதி என்று
23-4-1712 அன்று கேரளா மாநிலத்தில், (தற்போது தமிழ்நாட்டில் உள்ள கன்னியாகுமரி) உள்ள, நட்டனத்தில், ஹிந்து பெற்றோருக்கு புதல்வனாக நீலகண்டப் பிள்ளை பிறந்தார்.

அப்போது கன்னியாகுமரியை, திருவிதாங்கூர் அரசரான மார்த்தாண்ட வர்மா என்னும் மாவீரர் ஆட்சி செலுத்தி வந்தார்.
படை எடுத்து வந்த டச்சுக்காரர்களை, மார்ர்த்தாண்ட வர்மா துவம்சம் செய்து விரட்டியது ஒரு சரித்திர நிகழ்ச்சி!

மார்த்தாண்ட வர்மாவிடம் பணிபுரிந்த நீலகண்டப் பிள்ளை, டச்சு கடற்படை கேப்டன் ஆவுஸ்டாஷியஸ் டி லெனாய் (Austachius De Lanoy) என்பவனின் சூழ்ச்சியால்,
Read 11 tweets
#ESETresearch In November 2020, a Windows executable called mozila.cpl was submitted to VirusTotal from Germany 🇩🇪. At that time, it had zero detection rate and it is still very low now. The file is a trojanized sqlite-3.31.1 library and we attribute
it to #Lazarus. @pkalnai 1/4 Image
The library contains an embedded payload. A command line argument S0RMM-50QQE-F65DN-DCPYN-5QEQA must be provided for its decryption and additional parameters are passed to the payload.  2/4
The payload is an instance of the HTTP(s) uploader mentioned in the report by HvS-Consulting from December 2020. Its main purpose is to exfiltrate RAR archives from a victim’s system. 
hvs-consulting.de/public/ThreatR… 3/4 Image
Read 4 tweets
#ESETresearch A year ago, a signed Mach-O executable disguised as a job description was uploaded to VirusTotal from Singapore 🇸🇬. Malware is compiled for Intel and Apple Silicon and drops a PDF decoy. We think it was part of #Lazarus campaign for Mac. @pkalnai @marc_etienne_ 1/8
The document, named BitazuCapital_JobDescription.pdf, reminds a strong similarity with a lure from Lazarus attacks using 2 TOY GUYS code-signing certificates for Windows, targeting aerospace and defense industries. welivesecurity.com/wp-content/upl… 2/8
Both decoys are PDF v1.5 documents produced by Microsoft Word 2016. They are obviously not identical, as one uses Colonna MT font while the other uses Calibri, but the title and ornaments on the front page have the same colors (#569bd5 and #aacc5db). 3/8
Read 8 tweets
Thread on #APT grps, #hacktivists, #Ransomware gangs with their ‘likely’ associations (as per TTPs and reports) that are playing a significant role in impending #Ukraine #Russian conflict. Correct me if i am wrong or missing any one. 1/
Firstly on Russian 🇷🇺side there are #GhostWriter (#Belarus Govt Backed) #CozyBear (Russian Foreign Intel aka #SVR) #UNC1151 (Minsk based) #FancyBears & #SandWorm (Russian Military Intel aka #GRU) #Turla and #Gamaredon (Russian Internal Intel #FSB Former KGB) 2/
Read 7 tweets
#ESETresearch discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group. Attackers bundled the original IDA Pro 7.5 software developed by @HexRaysSA with two malicious components. @cherepanov74 1/5
Attackers replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL. The malicious win_fw.dll creates a Windows scheduled task that starts a second malicious component, idahelper.dll, from the IDA plugins folder. 2/5
Once started, the idahelper.dll attempts to download and execute a next-stage payload from https://www[.]devguardmap[.]org/board/board_read.asp?boardid=01 3/5
Read 5 tweets
Some updates on this suspected #Lazarus #APT:(thread, 1/4)
1) The remote template is VBA stomped or at least it was able to hide itself from olevba and oledump
2) The remote template drops an obfuscated vbs file and registers it as a scheduled service
3) All the strings in "OneDriveUpdateNew.vbs" are obfuscated and are decoded using "string_decoder" function with a hardcoded key table.

You can see the decoder and list of the decoded strings used by this vbs file here:
github.com/HHJazi/APT
2/4
4) The vbs file collects the victim info and builds an HTTP request:
"Username-ComputerName_UUID;OSName"
5) Then it encodes the request using hard coded key and sends the generated request to C2
6) Receives a payload from the C2 and writes it into "%APPDATA%/OD_update.exe"
3/4
Read 4 tweets
Diving into the #Lazarus sample that mentioned in nice blog tinyurl.com/mdyxr8m3. I recognized it uses 2 custom algorithms for decoding strings.
- 1st is modified RC4 to decrypt API functions name.
- 2nd is custom algo to decrypt C2 urls and user agent strings (1/4)
For decrypting API functions name, it decode base64 string and call modified rc4 algo to decrypt the decoded base64 string (2/4).
For decrypting C2 urls and user agent strings, it also decode base64 string and call the custom algo to decrypt the encoded base64 string (3/4).
Read 4 tweets
296. #SophieJones (2021) A raw and resonant coming of age story about dealing with grief and overcome pain,it feels very personal. The cinematography is gorgeous and visually stunning with excellent performances by the cast especially the lead who is great.Really good. ⭐⭐⭐1/2 ImageImageImageImage
296. #Moxie (2021) A fun and entertaining coming of age movie that might be a bit flawed, but the performances by the cast is good and it is a bit long however it deals with a lot of important issues and it have a really powerful scene at the end, the direction is strong. ⭐⭐⭐ ImageImageImageImage
297. #TheHitchHiker (1953) A swift thrilling noir film that is visually pleasing with great direction, it is very tense,suspensful and fast paced (yeah it's only 70 min)anchored by a trio of great performances by the cast. The story might not fully fleshed but still fun. ⭐⭐⭐⭐ ImageImageImageImage
Read 287 tweets
1. The more I look at these Trump election contests the more apparent they're all linked to the criminal conspiracy to impair the @USPS. Question for me: Do the lawyers know the the criminal purpose sufficiently to have incurred criminal liability?
2. For Rudy & Sidney Powell, I think it likely. For run-of-the-mill local counsel, absent more proof, I would think not. But Rudy & Powell likely will be seeking pardons that may have been part of their deal. And with them, Trump will dig himself a deeper hole and the ongoing
3. nature of the conspiracy will bring Rudy and Grisham a taste of my #Lazarus Theory that says you cannot successfully pardon an on-going conspiracy because the continued agreement plus a single overt act in furtherance of the unlawful purpose done by any conspirator
Read 4 tweets
#ESETresearch discovered a supply-chain attack performed by #Lazarus APT group against South Korean 🇰🇷 internet users. @cherepanov74 @pkalnai welivesecurity.com/2020/11/16/laz… 1/7
WIZVERA VeraPort software is often used on internet banking and government websites in 🇰🇷 South Korea. The purpose of this software is to install additional security software required by some of these websites. 2/7
The attackers abused a combination of WIZVERA VeraPort software and compromised South Korean websites with VeraPort support, to deploy Lazarus malware. 3/7
Read 7 tweets
#ESETresearch analyzed operation #Interception, a new espionage campaign targeting aerospace & defense companies in Europe and the Middle East. Initial contact was made via #LinkedIn, where attackers approached targets with fake job offers @jiboutin welivesecurity.com/2020/06/17/ope… 1/5
The attackers sent a password protected RAR archive containing a LNK file responsible for showing a decoy PDF and downloading additional malware. In some cases, this archive was sent directly through #LinkedIn instant messenger. #ESETresearch 2/5
While the victim was being deceived by the decoy PDF, a scheduled task was created, launching WMIC to execute a script embedded in a remote XSL file. This enabled the attackers to get their initial foothold inside the targeted company and gain persistence on the computer. 3/5
Read 5 tweets
1. Snippet of pardon law from 2017 in the context of a crime boss in the @WhiteHouse. And I'll add that a dangle, offer and act of pardoning a witness can be bribery, tampering and conspiracy by the official and his/her staff. Sorry Roger. Suck it up. @TheJusticeDept @FBIWFO
2. If Trump pardon's him, Roger has to talk. Also I don't see that a pardon works for an ongoing conspiracy. The defendant who has not withdrawn, still agrees to the conspiracy and agreeing to not testify with one overt act and conspiracy liability comes back to life. #Lazarus.
3. Easy fact pattern: Bob BankRobber plans a bank robbery with Cal Conspirator. Bob gets caught after agreement and overt act and charged with conspiracy. Pres DirtyDon pardons Bob who agrees to refuse to testify against Cal. Assume an overt act in furtherance of conspiracy.
Read 5 tweets
Die #IT-Umgebung des indischen #AKW's Kudankulam wurde nicht nur gehackt, sondern als Command and Control Server benutzt.

Hoffentlich war die #OT nicht auch öffentlich am Netz!

#KRITIS Sektor #Energie #nuclear #nuclearsafety #Resilienz #Cyber #Security

Zur Unterscheidung:

IT sind Informationstechnische Systeme (#PC #Laptop #Windows #Office, #Buchhaltung...)

OT sind Operative Systeme (#ICS #SCADA #SPS #HMI #PLC #Steuertechnik...)
Angemessener Stand der Technik #SdT wie in #KRITIS gefordert wurde offenbar im #AKW nicht eingehalten.

Strikte #Trennung zwischen #OT-Steuersystemen und #IT ist eine wesentliche #Sicherheitsmaßnahme!

Weitere #Maßnahmen und #Forderungen finder Ihr hier.

ag.kritis.info/politische-for…
Read 5 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!