IDA - APT (но не тот)
Предупреждал, что не стоит использовать после 2011 года релизы без проверки или без инсталляторов оригинальных. Что рано или поздно сделают нечто подобное. Одна из практик:
#ESETresearch (привет) discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group. Attackers bundled the original IDA Pro 7.5 software developed by @HexRaysSA with two malicious components.
Attackers replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL. The malicious win_fw.dll creates a Windows scheduled task that starts a second malicious component, idahelper.dll, from the IDA plugins folder.
Once started, the idahelper.dll attempts to download and execute a next-stage payload from https://wwwdevguardmaporg/board/board_read.asp?boardid=01
Based on the domain and trojanized application, we attribute this malware to known Lazarus activity, previously reported by Google's Threat Analysis Group and Microsoft: https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/
https://microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/
IoCs:
win_fw.dll A8EF73CC67C794D5AA860538D66898868EE0BEC0 Win32/NukeSped.KZ
idahelper.dll DE0E23DB04A7A780A640C656293336F80040F387 Win64/NukeSped.JS
devguardmap.org
https://twitter.com/ESETresearch/status/1458438155149922312
#ESETresearch (привет) discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group. Attackers bundled the original IDA Pro 7.5 software developed by @HexRaysSA with two malicious components.
Attackers replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL. The malicious win_fw.dll creates a Windows scheduled task that starts a second malicious component, idahelper.dll, from the IDA plugins folder.
Once started, the idahelper.dll attempts to download and execute a next-stage payload from https://wwwdevguardmaporg/board/board_read.asp?boardid=01
Based on the domain and trojanized application, we attribute this malware to known Lazarus activity, previously reported by Google's Threat Analysis Group and Microsoft: https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/
https://microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/
IoCs:
win_fw.dll A8EF73CC67C794D5AA860538D66898868EE0BEC0 Win32/NukeSped.KZ
idahelper.dll DE0E23DB04A7A780A640C656293336F80040F387 Win64/NukeSped.JS
devguardmap.org
https://twitter.com/ESETresearch/status/1458438155149922312