In early 2021, the North Korean APT organization Lazarus carried out a series of cyber attacks against security researchers by raising a large Twitter account and cooperating with custom-developed malware + 0day vulnerabilities. The details can be seen: social engineering for security researchers through social media Attack activity.
And on November 10, 2021, foreign security vendor ESET exposed another attack activity of the organization. In this activity, the Lazarus organization used IDA Pro 7.5 software with two backdoor files to target security researchers. attack. IDA (Interactive Disassembler) is a world-class interactive disassembler tool of Hex-Rayd, which is often used by security researchers for binary analysis and reverse engineering.
The attacker replaced the internal component win_fw.dll executed during IDA Pro installation with a malicious DLL file.
The malicious win_fw.dll creates a Windows scheduled task that launches the second malicious component idahelper.dll from the IDA plug-in folder.
After starting idahelper.dll, it will try to download from
https://www[.]devguardmap[.]org/board/board_read.asp?boardid=01 Download and execute the next stage of malicious Payload.
The above pictures are from Twitter
Please check yourself if you have a leaked version of IDA
Regularly capture traffic data packets in the local area to check whether there is a domain name used for access related attacks
The domain name used in this event was exposed in March 2021, and since then it has not been able to access the domain name. There is reason to suspect that the malware involved in this event is an old version. The leaked IDA Pro new version software also needs to be more careful to prevent it from being “hacked”.
In addition, Blackbird recalled that there was a Twitter ID that had released a leaked version of IDA software on Twitter, which was similar to the Twitter accounts raised by the two new North Korean APT organizations that were banned on Twitter in October 2021. Wherever they are, the accounts use vulnerability research as a gimmick to attract fans and increase their reputation before attacking the operations of the researchers.
After looking through it, it was found that Lagal1990 was called mavillon1 before the name change, and the current mavillon1 account has also been frozen.
Blackbird found the tweets posted by the mavillon1 account at the time through the group chat records. Still remembering the popularity in the circle at that time, it is recommended that the students who installed locally at that time check one or two by themselves.
Since the Lazarus organization, as a hacker organization itself, also knows the hacker community very well, it is reasonable to suspect that in addition to IDA, other security analysis tools may also be brutally attacked. Therefore, if some students use security tools or software distributed through unofficial channels (such as BurpSuite), Even the leaked remote control (such as Cobaltstrike), please check it yourself to prevent hackers from hiding for many years without knowing it.