IPMsg Installer Weaponized: Lazarus Group Targets Crypto & Finance

The notorious APT-C-26 (Lazarus) group, known for its advanced persistence and cyber espionage tactics, has resurfaced with a new campaign targeting financial institutions and cryptocurrency exchanges. In a recent analysis by the 360 Threat Intelligence Center, Lazarus was found to have weaponized the popular IPMsg installer, transforming it into a tool for delivering backdoors and stealing sensitive information.

The attack begins with a weaponized version of the IPMsg installer. Upon execution, the installer deploys two components:

1. A legitimate IPMsg installer (version 5.6.18.0) to maintain credibility.
2. A malicious DLL file that initiates a multi-stage attack, ultimately communicating with a command-and-control (C2) server.

This strategy reflects Lazarus’s expertise in social engineering, effectively tricking users into executing the malicious program.

The malicious DLL goes through several decryption and execution stages, culminating in a backdoor that allows the attackers to download further payloads and exfiltrate data.

Lazarus employed advanced evasion techniques to avoid detection. The DLL files include stack-based checks to ensure they cannot run independently in sandbox environments. Moreover, the group used legitimate-looking domains, such as cryptocopedia[.]com, to host their C2 infrastructure.

All executables involved, including the initial installer, are designed to appear legitimate, adding a layer of credibility that helps bypass traditional security measures.

The tactics, techniques, and procedures (TTPs) observed in this campaign align closely with previous Lazarus operations. The use of cryptocopedia[.]com and similar URLs, combined with geopolitical targeting patterns, strongly suggests the involvement of this North Korean-linked threat group.

The similarities in domain usage and operational methods give us high confidence in attributing this campaign to the Lazarus group, stated the 360 Threat Intelligence Center.

As Lazarus continues to evolve its tactics, organizations must remain vigilant. The group’s ability to weaponize legitimate software highlights the importance of robust security measures and proactive threat intelligence.

Related Posts:

• Temptation from Money: Lazarus APT extended to cryptocurrencies
• From Spear-Phishing to Zero-Day: Lazarus Group’s Latest Cyber Strategies
• North Korea’s Lazarus Group: A Persistent Threat to the Defense Sector
• FakeBat Malware Surge Exposes the Dangers of Evolving Malvertising Campaigns
• Microsoft Announces Critical Change to .NET Installer Distribution Domains