North Korean APT organization uses IDA software with backdoor to attack security researchers

In early 2021, the North Korean APT organization Lazarus carried out a series of cyber attacks against security researchers by raising a large Twitter account and cooperating with custom-developed malware + 0day vulnerabilities. The details can be seen: social engineering for security researchers through social media Attack activity.

And on November 10, 2021, foreign security vendor ESET exposed another attack activity of the organization. In this activity, the Lazarus organization used IDA Pro 7.5 software with two backdoor files to target security researchers. attack. IDA (Interactive Disassembler) is a world-class interactive disassembler tool of Hex-Rayd, which is often used by security researchers for binary analysis and reverse engineering.

  North Korean APT organization uses IDA software with backdoor to attack security researchers

  North Korean APT organization uses IDA software with backdoor to attack security researchers

The attacker replaced the internal component win_fw.dll executed during IDA Pro installation with a malicious DLL file.

  North Korean APT organization uses IDA software with backdoor to attack security researchers

The malicious win_fw.dll creates a Windows scheduled task that launches the second malicious component idahelper.dll from the IDA plug-in folder.

  North Korean APT organization uses IDA software with backdoor to attack security researchers

After starting idahelper.dll, it will try to download from

https://www[.]devguardmap[.]org/board/board_read.asp?boardid=01 Download and execute the next stage of malicious Payload.

  North Korean APT organization uses IDA software with backdoor to attack security researchers

The above pictures are from Twitter

@ESETresearch

Please check yourself if you have a leaked version of IDA

win_fw.dll

A8EF73CC67C794D5AA860538D66898868EE0BEC0

idahelper.dll

DE0E23DB04A7A780A640C656293336F80040F387

Regularly capture traffic data packets in the local area to check whether there is a domain name used for access related attacks

devguardmap[.]org

The domain name used in this event was exposed in March 2021, and since then it has not been able to access the domain name. There is reason to suspect that the malware involved in this event is an old version. The leaked IDA Pro new version software also needs to be more careful to prevent it from being “hacked”.

  North Korean APT organization uses IDA software with backdoor to attack security researchers

In addition, Blackbird recalled that there was a Twitter ID that had released a leaked version of IDA software on Twitter, which was similar to the Twitter accounts raised by the two new North Korean APT organizations that were banned on Twitter in October 2021. Wherever they are, the accounts use vulnerability research as a gimmick to attract fans and increase their reputation before attacking the operations of the researchers.

  North Korean APT organization uses IDA software with backdoor to attack security researchers

  North Korean APT organization uses IDA software with backdoor to attack security researchers

After looking through it, it was found that Lagal1990 was called mavillon1 before the name change, and the current mavillon1 account has also been frozen.

  North Korean APT organization uses IDA software with backdoor to attack security researchers

  North Korean APT organization uses IDA software with backdoor to attack security researchers

Blackbird found the tweets posted by the mavillon1 account at the time through the group chat records. Still remembering the popularity in the circle at that time, it is recommended that the students who installed locally at that time check one or two by themselves.

  North Korean APT organization uses IDA software with backdoor to attack security researchers

Since the Lazarus organization, as a hacker organization itself, also knows the hacker community very well, it is reasonable to suspect that in addition to IDA, other security analysis tools may also be brutally attacked. Therefore, if some students use security tools or software distributed through unofficial channels (such as BurpSuite), Even the leaked remote control (such as Cobaltstrike), please check it yourself to prevent hackers from hiding for many years without knowing it.

The Links:   https://www.slw-ele.com/lq150x1lw94.html“> LQ150X1LW94 DMF5005NF-LY