Posted on Leave a comment

North Korean Hackers Use A Rootkit Version Of IDA Pro To Attack Cybersecurity Researchers.

ESET Security researcher Anton Cherepanov  tweet the post as    “Attackers replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL. The malicious win_fw.dll creates a Windows scheduled task that starts a second malicious component, idahelper.dll, from the IDA plugins folder.” 

Using a trojanized pirated version of the popular IDA Pro reverse engineering programme, Lazarus, a North Korean-affiliated state-sponsored group, is attempting to target security researchers with backdoors and remote access trojans once again.

IDA Pro is an Interactive Disassembler that converts machine language (aka executables) into assembly language, allowing security researchers to examine the inner workings of a programme (malicious or not) and act as a debugger to find errors.

The Lazarus Group, also known as APT38, Hidden Cobra, and Zinc, has been linked to a series of attacks for financial gain and the theft of sensitive information from targeted environments since 2009.

According to the Slovak cybersecurity firm. One of the malicious components is an internal module called “win fw.dll,” which is executed during the application’s installation. This altered version is then used to load a second component called “idahelper.dll” from the system’s IDA plugins folder.

Google’s Threat Analysis Group in March revealed that , The “idahelper.dll” programme connects to a remote server at “www[.]devguardmap[.]org” to obtain further payloads after successful execution. The domain is especially notable because it was previously tied to a similar North Korean-backed effort targeting at security professionals.

Microsoft eventually fixed the problem in its March 2021 Patch Tuesday release. In order to trick unsuspecting researchers into visiting the company’s malware-laced website and causing an exploit that utilised a then-zero-day in Internet Explorer browser, the adversaries set up a fake security company called SecuriElite, as well as a number of social media accounts across Twitter and LinkedIn.

According to the US Office of the Director of National Intelligence’s 2021 Annual Danger Assessment published earlier this April, “North Korea’s cyber programme offers a growing espionage, theft and assault threat.”

Finally the researchers concluded that, “North Korea has undertaken cyber theft against financial institutions and cryptocurrency exchanges around the world, potentially stealing hundreds of millions of dollars to support government objectives including its nuclear and missile programmes,” .

Indicators Of Compromise:

: win_fw.dll A8EF73CC67C794D5AA860538D66898868EE0BEC0 idahelper.dll DE0E23DB04A7A780A640C656293336F80040F387

: Win32/NukeSped.KZ Win64/NukeSped.JS

devguardmap[.]org

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply