cyber_threat_intelligence/actors/Lazarus/README.md

Lazarus - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as Lazarus. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.lazarus

Campaigns

The following campaigns are known and can be associated with Lazarus:

• AppleJeus
• Chemical Sector
• DTrack
• Fallchill
• Hidden Cobra
• ...

There are 11 more campaign items available. Please use our online service to access the data.

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lazarus:

• VN
• IN
• US
• ...

There are 13 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of Lazarus.

ID	IP address	Hostname	Campaign	Confidence
1	1.251.44.118	-	-	High
2	2.50.22.137	-	Hidden Cobra	High
3	2.50.22.189	-	Hidden Cobra	High
4	2.50.25.205	-	Hidden Cobra	High
5	2.50.27.239	-	Hidden Cobra	High
6	2.50.40.245	-	Hidden Cobra	High
7	2.93.86.36	-	Hidden Cobra	High
8	2.93.86.38	-	Hidden Cobra	High
9	2.93.86.65	-	Hidden Cobra	High
10	2.93.86.89	-	Hidden Cobra	High
11	2.93.86.106	-	Hidden Cobra	High
12	2.93.86.136	-	Hidden Cobra	High
13	2.93.86.150	-	Hidden Cobra	High
14	2.93.86.194	-	Hidden Cobra	High
15	2.93.86.197	-	Hidden Cobra	High
16	2.93.86.224	-	Hidden Cobra	High
17	2.93.86.226	-	Hidden Cobra	High
18	2.93.86.247	-	Hidden Cobra	High
19	2.93.86.251	-	Hidden Cobra	High
20	2.93.86.253	-	Hidden Cobra	High
21	2.93.131.116	-	Hidden Cobra	High
22	2.93.131.179	-	Hidden Cobra	High
23	2.93.238.2	-	Hidden Cobra	High
24	2.93.238.12	-	Hidden Cobra	High
25	2.93.238.20	-	Hidden Cobra	High
26	2.93.238.26	-	Hidden Cobra	High
27	2.93.238.35	-	Hidden Cobra	High
28	2.93.238.93	-	Hidden Cobra	High
29	2.93.238.146	-	Hidden Cobra	High
30	2.93.238.167	-	Hidden Cobra	High
31	2.93.238.176	-	Hidden Cobra	High
32	2.93.238.183	-	Hidden Cobra	High
33	2.93.238.199	-	Hidden Cobra	High
34	2.93.238.213	-	Hidden Cobra	High
35	2.93.238.215	-	Hidden Cobra	High
36	2.93.238.222	-	Hidden Cobra	High
37	2.93.238.252	-	Hidden Cobra	High
38	2.93.238.253	-	Hidden Cobra	High
39	2.93.248.5	-	Hidden Cobra	High
40	2.93.248.46	-	Hidden Cobra	High
41	2.94.53.139	-	Hidden Cobra	High
42	2.94.65.211	-	Hidden Cobra	High
43	2.94.65.246	-	Hidden Cobra	High
44	2.94.82.42	-	Hidden Cobra	High
45	2.94.117.30	-	Hidden Cobra	High
46	2.94.117.46	-	Hidden Cobra	High
47	2.94.117.47	-	Hidden Cobra	High
48	2.94.117.56	-	Hidden Cobra	High
49	2.94.209.30	-	Hidden Cobra	High
50	2.187.99.180	-	Hidden Cobra	High
51	3.239.189.175	ec2-3-239-189-175.compute-1.amazonaws.com	-	Medium
52	5.22.137.178	mail.bpdl.co.uk	Hidden Cobra	High
53	5.22.140.93	5-22-140-93.host.as51043.net	Hidden Cobra	High
54	5.41.88.137	-	Hidden Cobra	High
55	5.41.89.32	-	Hidden Cobra	High
56	5.41.94.221	-	Hidden Cobra	High
57	5.41.190.7	-	Hidden Cobra	High
58	5.41.201.151	-	Hidden Cobra	High
59	5.41.237.214	-	Hidden Cobra	High
60	5.79.99.169	nsg037-19.divide.nl	Fallchill	High
61	5.98.91.76	host-5-98-91-76.business.telecomitalia.it	Hidden Cobra	High
62	5.141.87.156	5-141-97-156.static-adsl.isurgut.ru	Hidden Cobra	High
63	5.189.190.67	m2767.contaboserver.net	Hidden Cobra	High
64	5.200.154.208	-	Hidden Cobra	High
65	5.200.177.218	-	Hidden Cobra	High
66	5.200.191.104	-	Hidden Cobra	High
67	5.200.198.10	-	Hidden Cobra	High
68	5.200.202.99	-	Hidden Cobra	High
69	13.88.245.250	-	-	High
70	14.102.46.3	-	Volgmer	High
71	14.139.125.214	-	Volgmer	High
72	14.140.123.179	14.140.123.179.static-pune-vsnl.net.in	Hidden Cobra	High
73	14.141.27.100	14.141.26.100.static-Mumbai.vsnl.net.in	Hidden Cobra	High
74	14.141.129.116	14.141.129.116.static-Delhi.vsnl.net.in	Volgmer	High
75	14.149.149.211	-	Hidden Cobra	High
76	21.252.107.198	-	Hoplight	High
77	23.81.246.107	-	-	High
78	23.81.246.131	-	South Korea	High
79	23.81.246.179	-	-	High
80	23.82.141.50	-	-	High
81	23.82.141.172	-	-	High
82	23.94.37.55	23-94-37-55-host.colocrossing.com	-	High
83	23.94.139.92	23-94-139-92-host.colocrossing.com	-	High
84	23.95.67.143	23-95-67-143-host.colocrossing.com	-	High
85	23.106.160.40	-	-	High
86	23.106.223.194	-	-	High
87	23.108.57.232	-	-	High
88	23.152.0.232	betrp-basisto.seemband.com	-	High
89	23.227.196.5	23-227-196-5.static.hvvc.us	-	High
90	23.227.196.116	23-227-196-116.static.hvvc.us	-	High
91	23.227.199.21	23-227-199-21.static.hvvc.us	-	High
92	23.227.199.53	23-227-199-53.static.hvvc.us	-	High
93	23.227.199.69	23-227-199-69.static.hvvc.us	-	High
94	23.229.111.197	-	-	High
95	23.254.119.12	-	-	High
96	26.165.218.44	-	Hoplight	High
97	27.96.110.130	130.110.96.27.static.m1net.com.sg	Hidden Cobra	High
98	27.114.187.37	-	Volgmer	High
99	27.123.221.66	66-221.fiber.net.id	Fallchill	High
100	27.125.35.229	-	Hidden Cobra	High
101	31.11.32.79	websn1s069.aruba.it	Netherlands and Belgium	High
102	31.47.47.130	-	Hidden Cobra	High
103	31.54.73.156	host31-54-73-156.range31-54.btcentralplus.com	Hidden Cobra	High
104	31.54.74.176	host31-54-74-176.range31-54.btcentralplus.com	Hidden Cobra	High
105	31.146.82.22	31-146-82-22.dsl.utg.ge	Volgmer	High
106	31.146.136.6	31-146-136-6.dsl.utg.ge	Hidden Cobra	High
107	31.168.203.44	bzq-203-168-31-44.red.bezeqint.net	Hidden Cobra	High
108	31.186.8.221	-	-	High
109	36.71.90.4	-	Fallchill	High
110	37.34.240.177	-	Hidden Cobra	High
111	37.48.106.69	high-convey.blockother.com	Hidden Cobra	High
112	37.71.50.2	2.50.71.37.rev.sfr.net	Hidden Cobra	High
113	37.72.168.228	228.168.72.37.static.swiftway.net	-	High
114	37.72.175.135	37-72-175-135.static.hvvc.us	-	High
115	37.72.175.179	37-72-175-179.static.hvvc.us	-	High
116	37.72.175.196	37-72-175-196.static.hvvc.us	-	High
117	37.75.0.98	-	Hidden Cobra	High
118	37.75.2.203	-	Hidden Cobra	High
119	37.75.10.194	mail.kplus.com.tr	Hidden Cobra	High
120	37.75.11.162	37-75-11-162.rdns.saglayici.net	Hidden Cobra	High
121	37.98.114.90	90.mobinnet.net	Volgmer	High
122	37.104.24.220	-	Hidden Cobra	High
123	37.104.50.144	-	Hidden Cobra	High
124	37.104.67.33	-	Hidden Cobra	High
125	37.105.234.200	-	Hidden Cobra	High
126	37.106.115.3	-	Hidden Cobra	High
127	37.143.29.10	-	Hidden Cobra	High
128	37.148.209.156	37-148-209-156.cizgi.net.tr	Hidden Cobra	High
129	37.216.67.155	-	Volgmer	High
130	37.216.213.70	-	Hidden Cobra	High
131	37.235.21.166	-	Volgmer	High
132	37.238.135.70	-	-	High
133	38.132.124.161	-	TraderTraitor	High
134	40.121.90.194	-	-	High
135	41.57.108.68	-	Hidden Cobra	High
136	41.67.136.38	netcomafrica.com	Hidden Cobra	High
137	41.67.136.39	netcomafrica.com	Hidden Cobra	High
138	41.72.99.5	-	Hidden Cobra	High
139	41.72.101.138	-	Hidden Cobra	High
140	41.74.166.253	-	Hidden Cobra	High
141	41.92.208.194	-	Fallchill	High
142	41.92.208.196	-	Fallchill	High
143	41.92.208.197	-	Fallchill	High
144	41.110.179.197	-	Hidden Cobra	High
145	41.128.226.60	-	Hidden Cobra	High
146	41.131.49.228	host-41-131-49-228.static.link.com.eg	Hidden Cobra	High
147	41.131.164.156	-	Hidden Cobra	High
148	41.134.208.234	41-134-208-234.dsl.mweb.co.za	Hidden Cobra	High
149	41.182.252.56	ADSL-41-182-252-56.ipb.na	Hidden Cobra	High
150	41.205.139.34	ADSL-41-205-139-34.ipb.na	Hidden Cobra	High
151	41.208.106.68	owa.altaqnya.com.ly	Hidden Cobra	High
152	41.208.106.70	dc1.Mail.dsmhlc.ly	Hidden Cobra	High
153	41.215.250.40	-	Hidden Cobra	High
154	41.223.30.20	host30-20.creolink.com	Hidden Cobra	High
155	41.224.254.90	-	Hidden Cobra	High
156	43.249.216.6	-	Volgmer	High
157	45.33.2.79	li956-79.members.linode.com	AppleJeus	High
158	45.33.23.183	li977-183.members.linode.com	AppleJeus	High
159	45.56.79.23	li929-23.members.linode.com	AppleJeus	High
160	45.58.112.77	-	-	High
161	45.79.19.196	li1118-196.members.linode.com	AppleJeus	High
162	45.118.34.215	-	Volgmer	High
163	45.120.61.145	-	Hidden Cobra	High
164	45.122.138.130	-	-	High
165	45.124.169.36	-	Volgmer	High
166	45.128.156.27	smtp.flatmeadow.com	-	High
167	45.199.63.220	-	AppleJeus	High
168	46.16.62.238	fnadh-35.srv.cat	TraderTraitor	High
169	46.19.101.186	ip-46-19-101-186.gnc.net	Hidden Cobra	High
170	46.21.147.161	46-21-147-161.static.hvvc.us	-	High
171	46.21.153.87	87.153.21.46.static.swiftway.net	-	High
172	46.52.131.102	-	Hidden Cobra	High
173	46.121.242.180	46-121-242-180.static.012.net.il	Hidden Cobra	High
174	46.174.116.60	-	Hidden Cobra	High
175	46.174.116.87	-	Hidden Cobra	High
176	46.174.116.90	-	Hidden Cobra	High
177	46.174.116.99	-	Hidden Cobra	High
178	46.174.116.221	-	Hidden Cobra	High
179	46.174.116.231	-	Hidden Cobra	High
180	46.174.116.234	-	Hidden Cobra	High
181	46.174.117.15	-	Hidden Cobra	High
182	46.174.117.32	-	Hidden Cobra	High
183	46.174.117.36	-	Hidden Cobra	High
184	46.174.117.42	-	Hidden Cobra	High
185	46.174.117.44	-	Hidden Cobra	High
186	46.174.117.50	-	Hidden Cobra	High
187	46.174.117.61	-	Hidden Cobra	High
188	46.174.117.77	-	Hidden Cobra	High
189	46.174.117.80	-	Hidden Cobra	High
190	46.174.117.97	-	Hidden Cobra	High
191	46.174.117.98	-	Hidden Cobra	High
192	46.174.117.103	-	Hidden Cobra	High
193	46.174.117.116	-	Hidden Cobra	High
194	46.174.117.121	-	Hidden Cobra	High
195	46.174.117.129	-	Hidden Cobra	High
196	46.174.117.134	-	Hidden Cobra	High
197	46.174.117.153	-	Hidden Cobra	High
198	46.174.117.164	-	Hidden Cobra	High
199	46.183.221.109	ip-221-109.dataclub.info	-	High
200	46.218.127.110	reverse.completel.fr	Hidden Cobra	High
201	47.206.4.145	static-47-206-4-145.srst.fl.frontiernet.net	Hoplight	High
202	49.206.1.61	49.206.1.61.actcorp.in	Hidden Cobra	High
203	49.247.9.177	-	-	High
204	50.62.168.157	p3nwvpweb145.shr.prod.phx3.secureserver.net	Fallchill	High
205	50.87.144.227	somethingaboutmarketing.com	-	High
206	50.192.28.29	speed-stream.com	Netherlands and Belgium	High
207	51.38.234.8	hydra.skok.pl	-	High
208	51.68.119.230	ns3145204.ip-51-68-119.eu	-	High
209	51.79.44.111	server2.urgentfury.net	-	High
210	51.235.1.216	-	Hidden Cobra	High
211	51.235.13.162	-	Hidden Cobra	High
212	51.235.17.133	-	Hidden Cobra	High
213	51.235.19.202	-	Hidden Cobra	High
214	51.235.33.226	-	Hidden Cobra	High
215	51.235.49.202	-	Hidden Cobra	High
216	52.79.118.195	ec2-52-79-118-195.ap-northeast-2.compute.amazonaws.com	Chemical Sector	Medium
217	52.128.23.153	-	DTrack	High
218	52.202.193.124	ec2-52-202-193-124.compute-1.amazonaws.com	MagicRAT	Medium
219	54.38.11.132	ip132.ip-54-38-11.eu	-	High
220	54.39.64.114	server2.urgentfury.net	-	High
221	54.39.204.190	ip190.ip-54-39-204.net	-	High
222	54.64.30.175	vega.mh-tec.co.jp	-	High
223	54.68.42.4	ec2-54-68-42-4.us-west-2.compute.amazonaws.com	-	Medium
224	54.241.91.49	ec2-54-241-91-49.us-west-1.compute.amazonaws.com	-	Medium
225	58.82.155.98	98.155.82.58.static-corp.jastel.co.th	Volgmer	High
226	...	...	...	...

There are 902 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by Lazarus. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Weakness	Description	Confidence
1	T1006	CWE-21, CWE-22, CWE-23, CWE-24	Pathname Traversal	High
2	T1040	CWE-294, CWE-319	Authentication Bypass by Capture-replay	High
3	T1055	CWE-74	Injection	High
4	T1059	CWE-88, CWE-94	Cross Site Scripting	High
5	T1059.007	CWE-79, CWE-80, CWE-87	Cross Site Scripting	High
6	T1068	CWE-250, CWE-264, CWE-267, CWE-269, CWE-271, CWE-284	Execution with Unnecessary Privileges	High
7	...	...	...	...

There are 23 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Lazarus. This data is unique as it uses our predictive model for actor profiling.

ID	Type	Indicator	Confidence
1	File	/admin/blog/blogcategory/add/?_to_field=id&_popup=1	High
2	File	/api/audits	Medium
3	File	/bsms_ci/index.php/user/edit_user/	High
4	File	/cgi-bin/R14.2/easy1350.pl	High
5	File	/cgi-bin/R14.2/log.pl	High
6	File	/ctcprotocol/Protocol	High
7	File	/env	Low
8	File	/etc/tomcat8/Catalina/attack	High
9	File	/face-recognition-php/facepay-master/camera.php	High
10	File	/forum/away.php	High
11	File	/FreshRSS/p/ext.php	High
12	File	/goform/addressNat	High
13	File	/goform/CertListInfo	High
14	File	/goform/fast_setting_wifi_set	High
15	File	/goform/IPSECsave	High
16	File	/goform/L7Im	Medium
17	File	/goform/NatStaticSetting	High
18	File	/goform/qossetting	High
19	File	/goform/SafeClientFilter	High
20	File	/goform/SafeMacFilter	High
21	File	/goform/SafeUrlFilter	High
22	File	/goform/setMacFilterCfg	High
23	File	/goform/SysToolReboot	High
24	File	/goform/SysToolRestoreSet	High
25	File	/goform/VirtualSer	High
26	File	/hrm/controller/employee.php	High
27	File	/hrm/employeeadd.php	High
28	File	/hrm/employeeview.php	High
29	File	/ims/login.php	High
30	File	/leave_system/admin/?page=maintenance/department	High
31	...	...	...

There are 262 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

• https://1275.ru/ioc/189/lazarus-apt-iocs/
• https://1275.ru/ioc/237/lazarus-apt-iocs-part-2/
• https://asec.ahnlab.com/en/33801/
• https://asec.ahnlab.com/en/34461/
• https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html
• https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
• https://blogs.jpcert.or.jp/ja/2022/06/yamabot.html
• https://community.blueliv.com/#!/s/60c8c76482df413eb5356c34
• https://community.blueliv.com/#!/s/603fdde582df413eb5355915
• https://community.blueliv.com/#!/s/631ae2e082df41552632fe3e
• https://github.com/blackorbird/APT_REPORT/blob/master/lazarus/Dream-Job-Campaign.pdf
• https://github.com/blackorbird/APT_REPORT/blob/master/lazarus/lazarus-threat-intel-report2.pdf
• https://github.com/blackorbird/APT_REPORT/tree/master/lazarus
• https://github.com/hvs-consulting/ioc_signatures/blob/main/Lazarus_APT37/HvS_APT37_2020_Command_and_Control.csv
• https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
• https://research.checkpoint.com/2019/north-korea-turns-against-russian-targets/
• https://securelist.com/dtrack-targeting-europe-latin-america/107798/
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
• https://us-cert.cisa.gov/ncas/alerts/aa21-048a
• https://us-cert.cisa.gov/ncas/alerts/TA17-164A
• https://us-cert.cisa.gov/ncas/alerts/TA17-318A
• https://us-cert.cisa.gov/ncas/alerts/TA17-318B
• https://us-cert.cisa.gov/ncas/analysis-reports/AR18-165A
• https://us-cert.cisa.gov/ncas/analysis-reports/AR18-221A
• https://us-cert.cisa.gov/ncas/analysis-reports/AR19-100A
• https://us-cert.cisa.gov/ncas/analysis-reports/ar20-045d
• https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c
• https://vxug.fakedoma.in/archive/APTs/2021/2021.04.27/Lazarus%20Group%20Recruitment.pdf
• https://www.cisa.gov/uscert/ncas/alerts/aa22-108a
• https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/
• https://www.threatminer.org/report.php?q=LAZARUS&WATERING-HOLEATTACKS-BAESystems.pdf&y=2017
• https://www.trendmicro.com/en_us/research/18/k/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america.html
• https://www.trendmicro.com/en_us/research/20/e/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability.html
• https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/
• https://www.zscaler.com/blogs/security-research/naver-ending-game-lazarus-apt

Literature

The following articles explain our unique predictive cyber threat intelligence:

• VulDB Cyber Threat Intelligence Documentation
• Cyber Threat Intelligence - Early Anticipation of Attacks

License

(c) 1997-2023 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!