#1250886: Lazarus targeting banks in Russia - Additional IOCs

Description: he Lazarus campaign aimed at Russia uses malicious Office documents delivered as ZIP files, along with a PDF document called NDA_USA.pdf that contains a StarForce Technologies agreement, which is a Russian software company that provides copy protection software.

Reference:
http://securitysummitperu.com/articulos/se-identifico-ataques-del-grupo-cibercriminal-lazarus-dirigidos-a-organizaciones-en-rusia/
First Aid: IOCs:

FileHash-SHA256 1c4745c82fdcb9d05e210eff346d7bee2f087357b17bfcf7c2038c854f0dee61 1
FileHash-MD5 22d53ada23b2625265cdbddc8a599ee0 1
FileHash-MD5 2b68360b0d4e26d2b5f7698fe324b87d 2
FileHash-SHA256 49a23160ba2af4fba0186512783482918b07a32b0e809de0336ba723636ae3b6 2
FileHash-MD5 704d491c155aad996f16377a35732cb4 10
FileHash-MD5 7646d1fa1de852bb99c621f5e9927221 2
FileHash-SHA256 8e099261929b1b09e9d637e8d054d5909b945b4157f29337977eb7f5fb835e5d 1
FileHash-SHA256 9894f6993cae186981ecb034899353a04f1a9b009bdf265cecda9595b725ee20 2
FileHash-MD5 a7be38e8f84c5ad9cce30d009dc31d32 1
FileHash-MD5 dc3fff0873c3e8e853f6c5e01aa94fcf 1
FileHash-SHA256 e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09 12
FileHash-SHA256 f4bdf0f967330f9704b01cc962137a70596822b8319d3b35404eafc9c6d2efe7 1
URL http://37.238.135.70/img/anan.jpg
More info: https://otx.alienvault.com/pulse/5c8b8e19261a7451de02bf60?utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed

Date added March 15, 2019, 5:29 p.m.
Source AlienVault
Subjects
  • All New Malware Alerts - New Reports / IOCs in
  • . APTs - Advanced Persistent Threats - New Reports in
  • . APTs - North Korea - New Reports in
  • Hermes Ransomware / North Korea Lazarus Group
  • North Korea - Andariel APT Group - Sub-group Lazarus
  • North Korea - AppleJeus (Lazarus Group)
  • North Korea - Lazarus /APT26/APT-C-26/FALLCHILL/Volgmer/Guardians/SectorA01 /Group 77/Bluenoroff/Blue Noroff /Hidden Cobra /DeltaCharlie/DarkSeoul /Hermit /Stardust Chollima/Nickel Academy/RATANKBA/HARDRAIN/BADCALL/GhostSecret/TYPEFRAME / KEYMARBLE
  • North Korea - Operation Sharpshooter (Related to Lazarus?) / Rising Sun tool
  • North Korea - Ryuk Ransomware / Grim Spider - appears to be connected to Lazarus