Analysis of the attack activities of APT-C-26 (Lazarus) using weaponized IPMsg software

SUMMARY :

The Lazarus group, a highly active APT organization, has been observed weaponizing the IPMsg installer for attacks. When executed, the malicious installer releases the official IPMsg version 5.6.18.0 to deceive users while activating a malicious DLL in memory. This DLL connects to a remote control server to download backdoor programs and steal sensitive information. The attack showcases Lazarus' social engineering skills, effectively inducing users to execute malicious programs. The report details the attack process, payload analysis, and communication with the command and control server. The group's use of the domain cryptocopedia.com for C2 communications, along with similar URL patterns and TTPs, strongly suggests Lazarus' involvement in this campaign.

OPENCTI LABELS :

apt,backdoor,social engineering,data theft,c2 communication,ipmsg,dll64.dll,loader1.dll,att_loader_dll.dll,weaponized installer


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Analysis of the attack activities of APT-C-26 (Lazarus) using weaponized IPMsg software