Mirrors/cyber_threat_intelligence
6
0
Fork 0
mirror of https://github.com/vuldb/cyber_threat_intelligence synced 2024-06-28 09:53:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
4357a66095
cyber_threat_intelligence/actors/Lazarus
History
Marc Ruef 4357a66095 Update June 2023
2023-06-06 10:26:07 +02:00
..
README.md Update June 2023 2023-06-06 10:26:07 +02:00

README.md

Lazarus - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as Lazarus. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.lazarus

Campaigns

The following campaigns are known and can be associated with Lazarus:

  • AppleJeus
  • Chemical Sector
  • DTrack
  • Fallchill
  • Hidden Cobra
  • ...

There are 11 more campaign items available. Please use our online service to access the data.

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lazarus:

There are 9 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of Lazarus.

ID IP address Hostname Campaign Confidence
1 1.251.44.118 - - High
2 1.254.179.18 - - High
3 2.50.22.137 - Hidden Cobra High
4 2.50.22.189 - Hidden Cobra High
5 2.50.25.205 - Hidden Cobra High
6 2.50.27.239 - Hidden Cobra High
7 2.50.40.245 - Hidden Cobra High
8 2.93.86.36 - Hidden Cobra High
9 2.93.86.38 - Hidden Cobra High
10 2.93.86.65 - Hidden Cobra High
11 2.93.86.89 - Hidden Cobra High
12 2.93.86.106 - Hidden Cobra High
13 2.93.86.136 - Hidden Cobra High
14 2.93.86.150 - Hidden Cobra High
15 2.93.86.194 - Hidden Cobra High
16 2.93.86.197 - Hidden Cobra High
17 2.93.86.224 - Hidden Cobra High
18 2.93.86.226 - Hidden Cobra High
19 2.93.86.247 - Hidden Cobra High
20 2.93.86.251 - Hidden Cobra High
21 2.93.86.253 - Hidden Cobra High
22 2.93.131.116 - Hidden Cobra High
23 2.93.131.179 - Hidden Cobra High
24 2.93.238.2 - Hidden Cobra High
25 2.93.238.12 - Hidden Cobra High
26 2.93.238.20 - Hidden Cobra High
27 2.93.238.26 - Hidden Cobra High
28 2.93.238.35 - Hidden Cobra High
29 2.93.238.93 - Hidden Cobra High
30 2.93.238.146 - Hidden Cobra High
31 2.93.238.167 - Hidden Cobra High
32 2.93.238.176 - Hidden Cobra High
33 2.93.238.183 - Hidden Cobra High
34 2.93.238.199 - Hidden Cobra High
35 2.93.238.213 - Hidden Cobra High
36 2.93.238.215 - Hidden Cobra High
37 2.93.238.222 - Hidden Cobra High
38 2.93.238.252 - Hidden Cobra High
39 2.93.238.253 - Hidden Cobra High
40 2.93.248.5 - Hidden Cobra High
41 2.93.248.46 - Hidden Cobra High
42 2.94.53.139 - Hidden Cobra High
43 2.94.65.211 - Hidden Cobra High
44 2.94.65.246 - Hidden Cobra High
45 2.94.82.42 - Hidden Cobra High
46 2.94.117.30 - Hidden Cobra High
47 2.94.117.46 - Hidden Cobra High
48 2.94.117.47 - Hidden Cobra High
49 2.94.117.56 - Hidden Cobra High
50 2.94.209.30 - Hidden Cobra High
51 2.187.99.180 - Hidden Cobra High
52 3.39.49.255 ec2-3-39-49-255.ap-northeast-2.compute.amazonaws.com - Medium
53 3.239.189.175 ec2-3-239-189-175.compute-1.amazonaws.com - Medium
54 5.22.137.178 mail.bpdl.co.uk Hidden Cobra High
55 5.22.140.93 5-22-140-93.host.as51043.net Hidden Cobra High
56 5.41.88.137 - Hidden Cobra High
57 5.41.89.32 - Hidden Cobra High
58 5.41.94.221 - Hidden Cobra High
59 5.41.190.7 - Hidden Cobra High
60 5.41.201.151 - Hidden Cobra High
61 5.41.237.214 - Hidden Cobra High
62 5.79.99.169 nsg037-19.divide.nl Fallchill High
63 5.98.91.76 host-5-98-91-76.business.telecomitalia.it Hidden Cobra High
64 5.141.87.156 5-141-97-156.static-adsl.isurgut.ru Hidden Cobra High
65 5.189.190.67 m2767.contaboserver.net Hidden Cobra High
66 5.200.154.208 - Hidden Cobra High
67 5.200.177.218 - Hidden Cobra High
68 5.200.191.104 - Hidden Cobra High
69 5.200.198.10 - Hidden Cobra High
70 5.200.202.99 - Hidden Cobra High
71 13.88.245.250 - - High
72 13.107.21.200 - - High
73 14.102.46.3 - Volgmer High
74 14.139.125.214 - Volgmer High
75 14.140.123.179 14.140.123.179.static-pune-vsnl.net.in Hidden Cobra High
76 14.141.27.100 14.141.26.100.static-Mumbai.vsnl.net.in Hidden Cobra High
77 14.141.129.116 14.141.129.116.static-Delhi.vsnl.net.in Volgmer High
78 14.149.149.211 - Hidden Cobra High
79 21.252.107.198 - Hoplight High
80 23.50.0.140 a23-50-0-140.deploy.static.akamaitechnologies.com - High
81 23.81.246.107 - - High
82 23.81.246.131 - South Korea High
83 23.81.246.179 - - High
84 23.82.141.50 - - High
85 23.82.141.172 - - High
86 23.94.37.55 23-94-37-55-host.colocrossing.com - High
87 23.94.139.92 23-94-139-92-host.colocrossing.com - High
88 23.95.67.143 23-95-67-143-host.colocrossing.com - High
89 23.106.160.40 - - High
90 23.106.223.194 - - High
91 23.108.57.232 - - High
92 23.152.0.232 betrp-basisto.seemband.com - High
93 23.227.196.5 23-227-196-5.static.hvvc.us - High
94 23.227.196.116 23-227-196-116.static.hvvc.us - High
95 23.227.199.21 23-227-199-21.static.hvvc.us - High
96 23.227.199.53 23-227-199-53.static.hvvc.us - High
97 23.227.199.69 23-227-199-69.static.hvvc.us - High
98 23.229.111.197 - - High
99 23.254.119.12 - - High
100 26.165.218.44 - Hoplight High
101 27.96.110.130 130.110.96.27.static.m1net.com.sg Hidden Cobra High
102 27.114.187.37 - Volgmer High
103 27.123.221.66 66-221.fiber.net.id Fallchill High
104 27.125.35.229 - Hidden Cobra High
105 31.11.32.79 websn1s069.aruba.it Netherlands and Belgium High
106 31.47.47.130 - Hidden Cobra High
107 31.54.73.156 host31-54-73-156.range31-54.btcentralplus.com Hidden Cobra High
108 31.54.74.176 host31-54-74-176.range31-54.btcentralplus.com Hidden Cobra High
109 31.146.82.22 31-146-82-22.dsl.utg.ge Volgmer High
110 31.146.136.6 31-146-136-6.dsl.utg.ge Hidden Cobra High
111 31.168.203.44 bzq-203-168-31-44.red.bezeqint.net Hidden Cobra High
112 31.186.8.221 - - High
113 34.199.186.157 ec2-34-199-186-157.compute-1.amazonaws.com - Medium
114 36.71.90.4 - Fallchill High
115 37.34.240.177 - Hidden Cobra High
116 37.48.106.69 high-convey.blockother.com Hidden Cobra High
117 37.71.50.2 2.50.71.37.rev.sfr.net Hidden Cobra High
118 37.72.168.228 228.168.72.37.static.swiftway.net - High
119 37.72.175.135 37-72-175-135.static.hvvc.us - High
120 37.72.175.179 37-72-175-179.static.hvvc.us - High
121 37.72.175.196 37-72-175-196.static.hvvc.us - High
122 37.75.0.98 - Hidden Cobra High
123 37.75.2.203 - Hidden Cobra High
124 37.75.10.194 mail.kplus.com.tr Hidden Cobra High
125 37.75.11.162 37-75-11-162.rdns.saglayici.net Hidden Cobra High
126 37.98.114.90 90.mobinnet.net Volgmer High
127 37.104.24.220 - Hidden Cobra High
128 37.104.50.144 - Hidden Cobra High
129 37.104.67.33 - Hidden Cobra High
130 37.105.234.200 - Hidden Cobra High
131 37.106.115.3 - Hidden Cobra High
132 37.143.29.10 - Hidden Cobra High
133 37.148.209.156 37-148-209-156.cizgi.net.tr Hidden Cobra High
134 37.216.67.155 - Volgmer High
135 37.216.213.70 - Hidden Cobra High
136 37.235.21.166 - Volgmer High
137 37.238.135.70 - - High
138 38.132.124.161 - TraderTraitor High
139 40.121.90.194 - - High
140 41.57.108.68 - Hidden Cobra High
141 41.67.136.38 netcomafrica.com Hidden Cobra High
142 41.67.136.39 netcomafrica.com Hidden Cobra High
143 41.72.99.5 - Hidden Cobra High
144 41.72.101.138 - Hidden Cobra High
145 41.74.166.253 - Hidden Cobra High
146 41.92.208.194 - Fallchill High
147 41.92.208.196 - Fallchill High
148 41.92.208.197 - Fallchill High
149 41.110.179.197 - Hidden Cobra High
150 41.128.226.60 - Hidden Cobra High
151 41.131.49.228 host-41-131-49-228.static.link.com.eg Hidden Cobra High
152 41.131.164.156 - Hidden Cobra High
153 41.134.208.234 41-134-208-234.dsl.mweb.co.za Hidden Cobra High
154 41.182.252.56 ADSL-41-182-252-56.ipb.na Hidden Cobra High
155 41.205.139.34 ADSL-41-205-139-34.ipb.na Hidden Cobra High
156 41.208.106.68 owa.altaqnya.com.ly Hidden Cobra High
157 41.208.106.70 dc1.Mail.dsmhlc.ly Hidden Cobra High
158 41.215.250.40 - Hidden Cobra High
159 41.223.30.20 host30-20.creolink.com Hidden Cobra High
160 41.224.254.90 - Hidden Cobra High
161 43.249.216.6 - Volgmer High
162 45.33.2.79 li956-79.members.linode.com AppleJeus High
163 45.33.23.183 li977-183.members.linode.com AppleJeus High
164 45.56.79.23 li929-23.members.linode.com AppleJeus High
165 45.58.112.77 - - High
166 45.79.19.196 li1118-196.members.linode.com AppleJeus High
167 45.118.34.215 - Volgmer High
168 45.120.61.145 - Hidden Cobra High
169 45.122.138.130 - - High
170 45.124.169.36 - Volgmer High
171 45.128.156.27 smtp.flatmeadow.com - High
172 45.199.63.220 - AppleJeus High
173 46.16.62.238 fnadh-35.srv.cat TraderTraitor High
174 46.19.101.186 ip-46-19-101-186.gnc.net Hidden Cobra High
175 46.21.147.161 46-21-147-161.static.hvvc.us - High
176 46.21.153.87 87.153.21.46.static.swiftway.net - High
177 46.52.131.102 - Hidden Cobra High
178 46.121.242.180 46-121-242-180.static.012.net.il Hidden Cobra High
179 46.174.116.60 - Hidden Cobra High
180 46.174.116.87 - Hidden Cobra High
181 46.174.116.90 - Hidden Cobra High
182 46.174.116.99 - Hidden Cobra High
183 46.174.116.221 - Hidden Cobra High
184 46.174.116.231 - Hidden Cobra High
185 46.174.116.234 - Hidden Cobra High
186 46.174.117.15 - Hidden Cobra High
187 46.174.117.32 - Hidden Cobra High
188 46.174.117.36 - Hidden Cobra High
189 46.174.117.42 - Hidden Cobra High
190 46.174.117.44 - Hidden Cobra High
191 46.174.117.50 - Hidden Cobra High
192 46.174.117.61 - Hidden Cobra High
193 46.174.117.77 - Hidden Cobra High
194 46.174.117.80 - Hidden Cobra High
195 46.174.117.97 - Hidden Cobra High
196 46.174.117.98 - Hidden Cobra High
197 46.174.117.103 - Hidden Cobra High
198 46.174.117.116 - Hidden Cobra High
199 46.174.117.121 - Hidden Cobra High
200 46.174.117.129 - Hidden Cobra High
201 46.174.117.134 - Hidden Cobra High
202 46.174.117.153 - Hidden Cobra High
203 46.174.117.164 - Hidden Cobra High
204 46.183.221.109 ip-221-109.dataclub.info - High
205 46.218.127.110 reverse.completel.fr Hidden Cobra High
206 47.206.4.145 static-47-206-4-145.srst.fl.frontiernet.net Hoplight High
207 49.206.1.61 49.206.1.61.actcorp.in Hidden Cobra High
208 49.247.9.177 - - High
209 50.62.168.157 p3nwvpweb145.shr.prod.phx3.secureserver.net Fallchill High
210 50.87.144.227 somethingaboutmarketing.com - High
211 50.192.28.29 speed-stream.com Netherlands and Belgium High
212 51.38.234.8 hydra.skok.pl - High
213 51.68.119.230 ns3145204.ip-51-68-119.eu - High
214 51.79.44.111 server2.urgentfury.net - High
215 51.235.1.216 - Hidden Cobra High
216 51.235.13.162 - Hidden Cobra High
217 51.235.17.133 - Hidden Cobra High
218 51.235.19.202 - Hidden Cobra High
219 51.235.33.226 - Hidden Cobra High
220 51.235.49.202 - Hidden Cobra High
221 52.79.118.195 ec2-52-79-118-195.ap-northeast-2.compute.amazonaws.com Chemical Sector Medium
222 52.79.120.37 ec2-52-79-120-37.ap-northeast-2.compute.amazonaws.com - Medium
223 52.128.23.153 - DTrack High
224 52.148.148.114 - - High
225 52.202.193.124 ec2-52-202-193-124.compute-1.amazonaws.com MagicRAT Medium
226 54.38.11.132 ip132.ip-54-38-11.eu - High
227 54.39.64.114 server2.urgentfury.net - High
228 54.39.204.190 ip190.ip-54-39-204.net - High
229 54.64.30.175 vega.mh-tec.co.jp - High
230 ... ... ... ...

There are 918 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by Lazarus. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1006 CWE-22, CWE-23, CWE-24, CWE-29, CWE-36, CWE-425 Pathname Traversal High
2 T1055 CWE-74 Injection High
3 T1059 CWE-88, CWE-94 Cross Site Scripting High
4 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
5 T1068 CWE-250, CWE-264, CWE-269, CWE-284 J2EE Misconfiguration: Weak Access Permissions for EJB Methods High
6 ... ... ... ...

There are 18 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Lazarus. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File /admin.php?c=upload&f=zip&_noCache=0.1683794968 High
2 File /admin/?page=user/list High
3 File /admin/ajax.php?action=save_area High
4 File /admin/budget/manage_budget.php High
5 File /admin/contacts/organizations/edit/2 High
6 File /admin/edit_subject.php High
7 File /admin/modal_add_product.php High
8 File /admin/reportupload.aspx High
9 File /admin/save_teacher.php High
10 File /admin/service.php High
11 File /admin/update_s6.php High
12 File /ajax.php?action=read_msg High
13 File /ajax.php?action=save_company High
14 File /api/stl/actions/search High
15 File /bin/login Medium
16 File /building/backmgr/urlpage/mobileurl/configfile/jx2_config.ini High
17 File /cas/logout Medium
18 File /cgi-bin/wapopen High
19 File /classes/Master.php?f=delete_service High
20 File /dosen/data Medium
21 File /DXR.axd Medium
22 File /E-mobile/App/System/File/downfile.php High
23 File /hslist Low
24 File /index.php?app=main&func=passport&action=login High
25 ... ... ...

There are 211 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2023 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!