Preface:
There are books of which the backs and covers are by far the best parts!
― Charles Dickens, Oliver Twist
Discussion details:
Heard that the North Korean government suspected state sponsor of Lazarus Group cyber attack activities. A nick name to Lazarus group dubbed Hidden Cobra exposed to the world mid this year. The US homeland security claimed that they are the suspects of the cyber attack to Sony picture and behind the WannaCry (ransomware) cyber attack. By far we known US homeland security department with high priority to keep track their activities.
DHS malware report (10135536-B) technical findings
There are total 7 items of Portable Executable (PE) files shown on report. We make our discussion in layman terms, say that PE is a executable file. The PE checksum and details shown as below:
- PE file name checksum (MD5): C74E289AD927E81D2A1A56BC73E394AB
Antivirus vendor capable to detect checklist
- K7 – Trojan ( 700000041 )
- Cyren – W32/Heuristic-KPP!Eldorado
- VirusBlokAda – BScope.Trojan.Agent
2. PE file name checksum (MD5): FC9E40100D8DFAE2DF0F30A3414F50EC
Antivirus vendor capable to detect checklist
- Cyren – W32/Heuristic-KPP!Eldorado
- VirusBlokAda – BScope.Trojan.Agent
- F-secure – Gen:Trojan.Heur.LP.Tu4@aqf3yp
- BitDefender – Gen:Trojan.Heur.LP.Tu4@aqf3yp
- Emsisoft – Gen:Trojan.Heur.LP.Tu4@aqf3yp (B)
- F-secure – Gen:Variant.Graftor.373993
- Cyren – W32/Heuristic-KPP!Eldorado
- VirusBlokAda – BScope.Trojan.Agent
- BitDefender – Gen:Variant.Graftor.373993
- Emsisoft – Gen:Variant.Graftor.373993 (B)
5. PE file name checksum (MD5) 9E4D9EDB07C348B10863D89B6BB08141
- F-secure – Gen:Trojan.Heur.LP.hu4@aKqgOsli
- BitDefender – Gen:Trojan.Heur.LP.hu4@aKqgOsli
- Emsisoft – Gen:Trojan.Heur.LP.hu4@aKqgOsli (B)
- F-secure – Trojan.Inject.RO
- VirusBlokAda – BScope.Trojan.Agent
- Ahnlab – Trojan/Win32.Akdoor
- nProtect – Trojan/W64.Agent.95232
- McAfee – Trojan-FLDA!964B291AD9BA
- ClamAV – Win.Trojan.Agent-6319549-0
- Ahnlab – Trojan/Win64.Dllbot
- Quick Heal – Trojan.Generic
It looks confused with managed security services vendor especially APAC country of this cyber alert!
rule Unauthorized_Proxy_Server_RAT { meta: Author="US-CERT Code Analysis Team" Incident="10135536" MD5_1 = "C74E289AD927E81D2A1A56BC73E394AB" MD5_2 = "2950E3741D7AF69E0CA0C5013ABC4209" Info="Detects Proxy Server RAT" super_rule = 1 strings: $s0 = {8A043132C288043125FF00000003C299F73D40404900A14440490003D0413BCF72DE5E5FC3} $s1 = {8A04318844241432C28804318B44241425FF00000003C299F73D40404900A14440490003D0413BCF72D65E5FC3} $s2 = {8A04318844241432C28804318B44241425FF00000003C299F73D5C394100A16039410003D0413BCF72D65E5FC3} $s3 = {8A043132C288043125FF00000003C299F73D5C394100A16039410003D0413BCF72DE5E5FC3} $s4 = {B91A7900008A140780F29A8810404975F4} $s5 = {399FE192769F839DCE9F2A9D2C9EAD9CEB9F D19CA59F7E9F539CEF9F 029F969C6C9E5C9D949FC99F} $s6 = {8A04318844241432C28804318B44241425FF00000003C299F73D40600910A14460091003D0413BCF72D65E5FC3} $s7 = {3C5C75208A41014184C074183C72740C3C7474083C6274043C2275088A41014184C075DC} $s8 = {8B063D9534120077353D59341200722E668B4604663DE8037F24} $s9 = {8BC88B74241CC1E1052BC88B7C2418C1E1048B5C241403C88D04888B4C242083F9018944240C7523} $s10 = {8B063D9034120077353D59341200722E668B4604663DE8037F246685C0} $s11 = {30110FB60148FFC102C20FBEC09941F7F94103D249FFC875E7} $s12 = {448BE8B84FEC C44E41F7EDC1FA038BCAC1E91F03D16BD21A442BEA4183C541} $s13 = {8A0A80F9627C2380F9797F1E80F9647C 0A80F96D7F0580C10BEB 0D80F96F7C0A80F9787F05} condition: any of them }
Reference: The article provided by US Homeland security (see below)
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF
Summary:
In the meantime, I wish you Merry X’mas and Happy New year. Stay tuned!
With thanks! Valuable information!
With thanks! Valuable information!