History

cybermonitor cfe54e2b9a 2020.12.15.Lazarus_Campaign		2020-12-16 10:58:15 +08:00
..
HvS_APT37_2020_Command_and_Control.csv	2020.12.15.Lazarus_Campaign	2020-12-16 10:58:15 +08:00
HvS_APT37_2020_Filenames_Regex.txt	2020.12.15.Lazarus_Campaign	2020-12-16 10:58:15 +08:00
HvS_APT37_2020_Files_Hashes_ProcCommands.csv	2020.12.15.Lazarus_Campaign	2020-12-16 10:58:15 +08:00
HvS_APT37_2020_YARArules.yar	2020.12.15.Lazarus_Campaign	2020-12-16 10:58:15 +08:00
README.md	2020.12.15.Lazarus_Campaign	2020-12-16 10:58:15 +08:00

Lazarus / APT37 IOCs

Context

We used those IOCs in recent investigations to search for traces of 2020s Lazarus / APT37 campaigns.
More context and matching TTPs can be found in our report: https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf

Most of the given C2 Domains are legit websites, which were hacked and abused by the Lazarus group. If you observe traffic to these domains in your organization, it might also be legit use of these websites. In our report more details about the functionality of the C2 communication are shared, which helps by identifying malicious traffic.
We provided hashes for many samples, but please note that especially the hashes were changed by the attacker to be different on each system.
Even if we try to avoid false positives by manual QA, those rules are not meant to be used in production without previous dry runs.