Lazarus hits with Trojanized IDA
Lazarus, the North Korea affiliated state-sponsored group, is attempting to once again target security researchers with backdoors and remote access trojans using a trojanized pirated version of the popular IDA Pro reverse engineering software.
IDA Pro is an Interactive Disassembler that’s designed to translate machine language into assembly language, enabling security researchers to analyze the inner workings of a program as well as function as a debugger to detect errors.
Attackers bundled the original IDA Pro 7.5 software developed by with two malicious components,” one of which is an internal module called “win_fw.dll” that’s executed during installation of the applications. This tampered version is then orchestrated to load a second component named “idahelper.dll” from the IDA plugins folder on the system.
Upon successful execution, the “idahelper.dll” binary connects to a remote server at “www[.]devguardmap[.]org” to retrieve subsequent payloads. The domain is also notable for the fact that it’s been previously linked to a similar North Korea-backed campaign aimed at security professionals and disclosed by Google’s Threat Analysis Group earlier this March.
Known by the monikers APT38, Hidden Cobra, and Zinc, the Lazarus Group is known to be active as early as 2009 and linked to a string of attacks for financial gain and harvesting sensitive information from compromised environments.
Indicators of Compromise
- win_fw.dll A8EF73CC67C794D5AA860538D66898868EE0BEC0
- idahelper.dll DE0E23DB04A7A780A640C656293336F80040F387