Mirrors/cyber_threat_intelligence
6
0
Fork 0
mirror of https://github.com/vuldb/cyber_threat_intelligence synced 2024-06-25 00:18:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
a5a5219532
cyber_threat_intelligence/actors/Lazarus
History
Marc Ruef a5a5219532 Update
2022-06-28 10:28:01 +02:00
..
README.md Update 2022-06-28 10:28:01 +02:00

README.md

Lazarus - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as Lazarus. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.lazarus

Campaigns

The following campaigns are known and can be associated with Lazarus:

  • AppleJeus
  • Chemical Sector
  • Fallchill
  • Hidden Cobra
  • ...

There are 8 more campaign items available. Please use our online service to access the data.

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lazarus:

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of Lazarus.

ID IP address Hostname Campaign Confidence
1 2.50.22.137 - Hidden Cobra High
2 2.50.22.189 - Hidden Cobra High
3 2.50.25.205 - Hidden Cobra High
4 2.50.27.239 - Hidden Cobra High
5 2.50.40.245 - Hidden Cobra High
6 2.93.86.36 - Hidden Cobra High
7 2.93.86.38 - Hidden Cobra High
8 2.93.86.65 - Hidden Cobra High
9 2.93.86.89 - Hidden Cobra High
10 2.93.86.106 - Hidden Cobra High
11 2.93.86.136 - Hidden Cobra High
12 2.93.86.150 - Hidden Cobra High
13 2.93.86.194 - Hidden Cobra High
14 2.93.86.197 - Hidden Cobra High
15 2.93.86.224 - Hidden Cobra High
16 2.93.86.226 - Hidden Cobra High
17 2.93.86.247 - Hidden Cobra High
18 2.93.86.251 - Hidden Cobra High
19 2.93.86.253 - Hidden Cobra High
20 2.93.131.116 - Hidden Cobra High
21 2.93.131.179 - Hidden Cobra High
22 2.93.238.2 - Hidden Cobra High
23 2.93.238.12 - Hidden Cobra High
24 2.93.238.20 - Hidden Cobra High
25 2.93.238.26 - Hidden Cobra High
26 2.93.238.35 - Hidden Cobra High
27 2.93.238.93 - Hidden Cobra High
28 2.93.238.146 - Hidden Cobra High
29 2.93.238.167 - Hidden Cobra High
30 2.93.238.176 - Hidden Cobra High
31 2.93.238.183 - Hidden Cobra High
32 2.93.238.199 - Hidden Cobra High
33 2.93.238.213 - Hidden Cobra High
34 2.93.238.215 - Hidden Cobra High
35 2.93.238.222 - Hidden Cobra High
36 2.93.238.252 - Hidden Cobra High
37 2.93.238.253 - Hidden Cobra High
38 2.93.248.5 - Hidden Cobra High
39 2.93.248.46 - Hidden Cobra High
40 2.94.53.139 - Hidden Cobra High
41 2.94.65.211 - Hidden Cobra High
42 2.94.65.246 - Hidden Cobra High
43 2.94.82.42 - Hidden Cobra High
44 2.94.117.30 - Hidden Cobra High
45 2.94.117.46 - Hidden Cobra High
46 2.94.117.47 - Hidden Cobra High
47 2.94.117.56 - Hidden Cobra High
48 2.94.209.30 - Hidden Cobra High
49 2.187.99.180 - Hidden Cobra High
50 5.22.137.178 mail.bpdl.co.uk Hidden Cobra High
51 5.22.140.93 5-22-140-93.host.as51043.net Hidden Cobra High
52 5.41.88.137 - Hidden Cobra High
53 5.41.89.32 - Hidden Cobra High
54 5.41.94.221 - Hidden Cobra High
55 5.41.190.7 - Hidden Cobra High
56 5.41.201.151 - Hidden Cobra High
57 5.41.237.214 - Hidden Cobra High
58 5.79.99.169 nsg037-19.divide.nl Fallchill High
59 5.98.91.76 host-5-98-91-76.business.telecomitalia.it Hidden Cobra High
60 5.141.87.156 5-141-97-156.static-adsl.isurgut.ru Hidden Cobra High
61 5.189.190.67 m2767.contaboserver.net Hidden Cobra High
62 5.200.154.208 - Hidden Cobra High
63 5.200.177.218 - Hidden Cobra High
64 5.200.191.104 - Hidden Cobra High
65 5.200.198.10 - Hidden Cobra High
66 5.200.202.99 - Hidden Cobra High
67 14.102.46.3 - Volgmer High
68 14.139.125.214 - Volgmer High
69 14.140.123.179 14.140.123.179.static-pune-vsnl.net.in Hidden Cobra High
70 14.141.27.100 14.141.26.100.static-Mumbai.vsnl.net.in Hidden Cobra High
71 14.141.129.116 14.141.129.116.static-Delhi.vsnl.net.in Volgmer High
72 14.149.149.211 - Hidden Cobra High
73 21.252.107.198 - Hoplight High
74 23.81.246.131 - South Korea High
75 23.152.0.232 betrp-basisto.seemband.com - High
76 26.165.218.44 - Hoplight High
77 27.96.110.130 130.110.96.27.static.m1net.com.sg Hidden Cobra High
78 27.114.187.37 - Volgmer High
79 27.123.221.66 66-221.fiber.net.id Fallchill High
80 27.125.35.229 - Hidden Cobra High
81 31.47.47.130 - Hidden Cobra High
82 31.54.73.156 host31-54-73-156.range31-54.btcentralplus.com Hidden Cobra High
83 31.54.74.176 host31-54-74-176.range31-54.btcentralplus.com Hidden Cobra High
84 31.146.82.22 31-146-82-22.dsl.utg.ge Volgmer High
85 31.146.136.6 31-146-136-6.dsl.utg.ge Hidden Cobra High
86 31.168.203.44 bzq-203-168-31-44.red.bezeqint.net Hidden Cobra High
87 36.71.90.4 - Fallchill High
88 37.34.240.177 - Hidden Cobra High
89 37.48.106.69 high-convey.blockother.com Hidden Cobra High
90 37.71.50.2 2.50.71.37.rev.sfr.net Hidden Cobra High
91 37.75.0.98 - Hidden Cobra High
92 37.75.2.203 - Hidden Cobra High
93 37.75.10.194 mail.kplus.com.tr Hidden Cobra High
94 37.75.11.162 37-75-11-162.rdns.saglayici.net Hidden Cobra High
95 37.98.114.90 90.mobinnet.net Volgmer High
96 37.104.24.220 - Hidden Cobra High
97 37.104.50.144 - Hidden Cobra High
98 37.104.67.33 - Hidden Cobra High
99 37.105.234.200 - Hidden Cobra High
100 37.106.115.3 - Hidden Cobra High
101 37.143.29.10 - Hidden Cobra High
102 37.148.209.156 37-148-209-156.cizgi.net.tr Hidden Cobra High
103 37.216.67.155 - Volgmer High
104 37.216.213.70 - Hidden Cobra High
105 37.235.21.166 - Volgmer High
106 37.238.135.70 - - High
107 38.132.124.161 - TraderTraitor High
108 41.57.108.68 - Hidden Cobra High
109 41.67.136.38 netcomafrica.com Hidden Cobra High
110 41.67.136.39 netcomafrica.com Hidden Cobra High
111 41.72.99.5 - Hidden Cobra High
112 41.72.101.138 - Hidden Cobra High
113 41.74.166.253 - Hidden Cobra High
114 41.92.208.194 - Fallchill High
115 41.92.208.196 - Fallchill High
116 41.92.208.197 - Fallchill High
117 41.110.179.197 - Hidden Cobra High
118 41.128.226.60 - Hidden Cobra High
119 41.131.49.228 host-41-131-49-228.static.link.com.eg Hidden Cobra High
120 41.131.164.156 - Hidden Cobra High
121 41.134.208.234 41-134-208-234.dsl.mweb.co.za Hidden Cobra High
122 41.182.252.56 ADSL-41-182-252-56.ipb.na Hidden Cobra High
123 41.205.139.34 ADSL-41-205-139-34.ipb.na Hidden Cobra High
124 41.208.106.68 owa.altaqnya.com.ly Hidden Cobra High
125 41.208.106.70 dc1.Mail.dsmhlc.ly Hidden Cobra High
126 41.215.250.40 - Hidden Cobra High
127 41.223.30.20 host30-20.creolink.com Hidden Cobra High
128 41.224.254.90 - Hidden Cobra High
129 43.249.216.6 - Volgmer High
130 45.33.2.79 li956-79.members.linode.com AppleJeus High
131 45.33.23.183 li977-183.members.linode.com AppleJeus High
132 45.56.79.23 li929-23.members.linode.com AppleJeus High
133 45.79.19.196 li1118-196.members.linode.com AppleJeus High
134 45.118.34.215 - Volgmer High
135 45.120.61.145 - Hidden Cobra High
136 45.124.169.36 - Volgmer High
137 45.199.63.220 - AppleJeus High
138 46.16.62.238 fnadh-35.srv.cat TraderTraitor High
139 46.19.101.186 ip-46-19-101-186.gnc.net Hidden Cobra High
140 46.21.147.161 46-21-147-161.static.hvvc.us - High
141 46.52.131.102 - Hidden Cobra High
142 46.121.242.180 46-121-242-180.static.012.net.il Hidden Cobra High
143 46.174.116.60 - Hidden Cobra High
144 46.174.116.87 - Hidden Cobra High
145 46.174.116.90 - Hidden Cobra High
146 46.174.116.99 - Hidden Cobra High
147 46.174.116.221 - Hidden Cobra High
148 46.174.116.231 - Hidden Cobra High
149 46.174.116.234 - Hidden Cobra High
150 46.174.117.15 - Hidden Cobra High
151 46.174.117.32 - Hidden Cobra High
152 46.174.117.36 - Hidden Cobra High
153 46.174.117.42 - Hidden Cobra High
154 46.174.117.44 - Hidden Cobra High
155 46.174.117.50 - Hidden Cobra High
156 46.174.117.61 - Hidden Cobra High
157 46.174.117.77 - Hidden Cobra High
158 46.174.117.80 - Hidden Cobra High
159 46.174.117.97 - Hidden Cobra High
160 46.174.117.98 - Hidden Cobra High
161 46.174.117.103 - Hidden Cobra High
162 46.174.117.116 - Hidden Cobra High
163 46.174.117.121 - Hidden Cobra High
164 46.174.117.129 - Hidden Cobra High
165 46.174.117.134 - Hidden Cobra High
166 46.174.117.153 - Hidden Cobra High
167 46.174.117.164 - Hidden Cobra High
168 46.218.127.110 reverse.completel.fr Hidden Cobra High
169 47.206.4.145 static-47-206-4-145.srst.fl.frontiernet.net Hoplight High
170 49.206.1.61 49.206.1.61.actcorp.in Hidden Cobra High
171 49.247.9.177 - - High
172 50.62.168.157 p3nwvpweb145.shr.prod.phx3.secureserver.net Fallchill High
173 50.87.144.227 somethingaboutmarketing.com - High
174 51.235.1.216 - Hidden Cobra High
175 51.235.13.162 - Hidden Cobra High
176 51.235.17.133 - Hidden Cobra High
177 51.235.19.202 - Hidden Cobra High
178 51.235.33.226 - Hidden Cobra High
179 51.235.49.202 - Hidden Cobra High
180 52.79.118.195 ec2-52-79-118-195.ap-northeast-2.compute.amazonaws.com Chemical Sector Medium
181 54.64.30.175 vega.mh-tec.co.jp - High
182 58.82.155.98 98.155.82.58.static-corp.jastel.co.th Volgmer High
183 58.185.197.210 - Volgmer High
184 59.8.194.228 - - High
185 59.90.93.97 static.bb.knl.59.90.93.97.bsnl.in Typeframe High
186 ... ... ... ...

There are 741 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by Lazarus. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1059.007 CWE-79 Cross Site Scripting High
2 T1068 CWE-250, CWE-284 Execution with Unnecessary Privileges High
3 T1110.001 CWE-798 Improper Restriction of Excessive Authentication Attempts High
4 ... ... ... ...

There are 4 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Lazarus. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File /alarm_pi/alarmService.php High
2 File /bsms/?page=manage_account High
3 File /company Medium
4 File /company/account/safety/trade High
5 File /company/down_resume/total/nature High
6 File /company/service/increment/add/im High
7 File /company/view_be_browsed/total High
8 File /dashboard/system/express/entities/forms/save_control/[GUID] High
9 File /fm-data.lua Medium
10 File /freelance/resume_list High
11 File /home/campus/campus_job High
12 File /home/job/index High
13 File /home/job/map High
14 ... ... ...

There are 108 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2022 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!