Operation Blockbuster

Lazarus Group destructive malware campaign including the Sony Pictures attack and subsequent financially motivated operations.

Start date

1 January 2009

End date

—

Techniques

Indicators of compromise

273

80 sha25657 md555 sha130 ip27 url24 domain

Attributed actors

Lazarus Group· primary

Techniques (26)

collection1

T1560.001Archive via Utility

command-and-control3

T1573.001Symmetric Cryptography

T1105Ingress Tool Transfer

T1071.001Web Protocols

credential-access1

T1003.001LSASS Memory

defense-impairment1

T1070.001Clear Windows Event Logs

discovery3

T1057Process Discovery

T1082System Information Discovery

T1083File and Directory Discovery

execution3

T1059.003Windows Command Shell

T1059.001PowerShell

T1053.005Scheduled Task

exfiltration1

T1041Exfiltration Over C2 Channel

impact2

T1486Data Encrypted for Impact

T1485Data Destruction

initial-access3

T1566.002Spearphishing Link

T1566.001Spearphishing Attachment

T1195.002Compromise Software Supply Chain

lateral-movement2

T1021.001Remote Desktop Protocol

T1021.002SMB/Windows Admin Shares

persistence3

T1547.001Registry Run Keys / Startup Folder

T1543.003Windows Service

T1053.005Scheduled Task

privilege-escalation4

T1547.001Registry Run Keys / Startup Folder

T1055Process Injection

T1543.003Windows Service

T1053.005Scheduled Task

stealth4

T1140Deobfuscate/Decode Files or Information

T1070.004File Deletion

T1055Process Injection

T1027Obfuscated Files or Information

Indicators of compromise (273)

DOMAIN24

mail.wavenet.com.arconfirmed

xn--6fgp.comconfirmed

xn--bitcoingol-4kb.comconfirmed

wstore.ltconfirmed

daedong.or.krconfirmed

xn--bitcoingld-lcb.orgconfirmed

xn--btcongold-g5ad.comconfirmed

wtps.orgconfirmed

xn--bitcin-zxa.orgconfirmed

xn--bitcoingldwallet-twb.orgconfirmed

xn--bitcoingld-lcb.comconfirmed

xn--bitcoigold-o1b.comconfirmed

xn--electrm-s2a.orgconfirmed

xn--btcoingold-v8a.comconfirmed

xn--bitcingold-t3b.comconfirmed

xn--bitcingold-hcb.orgconfirmed

vmware-probe.zol.co.zwconfirmed

xn--bitoingold-1ib.comconfirmed

xn--btcongold-54ad.comconfirmed

xn--bitcoingod-8yb.comconfirmed

xkclub.hkconfirmed

kosic.or.krconfirmed

kcnp.or.krconfirmed

xn--bitcingold-jbb.comconfirmed

MD557

ad99fd5711dbec2520f62385a595ee3bconfirmed

cefa6225208e4fd18e326c860398b0acconfirmed

7717f90967ad67016c8229c2271000edconfirmed

d511fa33bb3c9a238e4b4eae7bae6e84confirmed

2b78a7f0cd2efb69bdacff9b9c59f9ccconfirmed

da6f533bdeea3232d40245a1ded451c3confirmed

cba175498af45dca6970aeee83a6d9f4confirmed

43f7512685e72de1e8c0201ee4e189a7confirmed

e656e1e46e3ad644f9701378490880e2confirmed

6431f46fd8353cb30cd573fc887d8aa8confirmed

f0e1b26444f21647f25b821d2c46bec4confirmed

7a27da13bbdfc34118a30ecd83a75614confirmed

a3487b13cbda458bf91c7e802a1ea4f5confirmed

2dfebcb60dfa706e2a9c6e73709ebff5confirmed

24f61120946ddac5e1d15cd64c48b7e6confirmed

ed2cace34381b6bbeb98af31e73e7904confirmed

d253d65adf4285fa5004cd96e647a11fconfirmed

3a6b48de605ac9e58ffd83d87db650ebconfirmed

01a07e5a28e53a5bc541d178fe229599confirmed

35e32397ff614e894d41496670909f9cconfirmed

39b32e5fcec968631b6badeaf9bd517cconfirmed

1261323be950dcd97c9cf011f2407220confirmed

c272af488ff4c4af2941fd83b1484f33confirmed

cab10f19ae0a6deeb7be7bd0b46a0f5fconfirmed

157074713fc886e3632acc6f040982ddconfirmed

980272269926a187ec4fe17ec9505a5fconfirmed

9ce9a0b3876aacbf0e8023c97fd0a21dconfirmed

9ed66ef9fba9984fe7788eb1ec09d4baconfirmed

ec264b9c938355f1a7d1dc97c73fa9a6confirmed

d2a565e6c31ee18380c410e8cc4abbb0confirmed

8b98bdf2c6a299e1fed217889af54845confirmed

985d627f638bbd89ba48676625ec9073confirmed

dc688e6ddd3a1298dd372ec7d0ccb1fbconfirmed

23cbc415d94b1841a8a737295dc651ceconfirmed

e3fc2fbc512b90c54d81989cf42bb885confirmed

ddabaa2740f590ac964996fd4b691880confirmed

f450e6c90e9a3a907690fb66f08c8b49confirmed

878ececefc811b91361b69ff25290a6econfirmed

a4b3404fffc581ab06d50f3f2243cb56confirmed

75f2972cc953e26f8fc43eb0456fdc7aconfirmed

a24582e2a9162f32d09349953fac52b1confirmed

2f9353046222a49317c9db3be4cd1e12confirmed

5426af0a8bce2fcc61fcf189e6119fe1confirmed

9e36b094d9769025699804f10c9a6523confirmed

0518ca7a8bd6d93bbafc6022669d5459confirmed

853017d8231acf6aa912fb4a146ffd46confirmed

01118e4cd8adec69c84e0311ec677971confirmed

5d06ff8f43f631cd2a71a565dd10b7a5confirmed

4ae49bc0ddffcf1ab5fa33faae966e98confirmed

239aaff9c0c7b0317df0d0c409780d11confirmed

c01a91a26dd90363f0ab90d5163a3c5fconfirmed

b82f3e54bb97d4f92dc7c777f2e765abconfirmed

f3dd79ffb45d226dd029da7c61192e26confirmed

4ed7389843781268f9dbf8d222be52baconfirmed

8f47377f880cef626c30bcd3a68bfed0confirmed

a16dad1248433bbad204ab4705afc47aconfirmed

6c360e9a6f933bf172591a81881ca79bconfirmed

IP30

80.153.49.82confirmed

61.106.2.96confirmed

124.248.228.30confirmed

217.117.4.110confirmed

211.233.13.62confirmed

23.115.75.188confirmed

119.29.11.203confirmed

110.45.145.103confirmed

211.49.171.243confirmed

180.67.205.101confirmed

221.161.82.208confirmed

197.211.212.31confirmed

14.139.200.107confirmed

61.100.180.9confirmed

61.78.63.95confirmed

182.70.113.138confirmed

139.196.55.146confirmed

218.103.37.22confirmed

199.26.11.17confirmed

199.180.148.134confirmed

211.233.13.11confirmed

211.236.42.52confirmed

114.215.130.173confirmed

221.138.17.152confirmed

181.119.19.100confirmed

103.224.82.154confirmed

209.105.242.64confirmed

198.100.157.239confirmed

193.189.144.145confirmed

175.100.189.174confirmed

SHA25680

972b598d709b66b35900dc21c5225e5f0d474f241fefa890b381089afd7d44eeconfirmed

d5f9a81df5061c69be9c0ed55fba7d796e1a8ebab7c609ae437c574bd7b30b48confirmed

eab612e333baaec0709f3f213f73388607e495d8af9a2851f352481e996283f1confirmed

6ccb8a10e253cddd8d4c4b85d19bbb288b56b8174a3f1f2fe1f9151732e1a7daconfirmed

8b2c44c4b4dc3d7cf1b71bd6fcc37898dcd9573fcf3cb8159add6cb9cfc9651bconfirmed

9d10911a7bbf26f58b5e39342540761885422b878617f864bfdb16195b7cd0f5confirmed

1768f2e9cea5f8c97007c6f822531c1c9043c151187c54ebfb289980ff63d666confirmed

032ccd6ae0a6e49ac93b7bd10c7d249f853fff3f5771a1fe3797f733f09db5a0confirmed

77a32726af6205d27999b9a564dd7b020dc0a8f697a81a8f597b971140e28976confirmed

99ad06cca4910c62e8d6b68801c6122137cf8458083bb58cbc767eebc220180dconfirmed

eb372423e4dcd4665cc03ffc384ff625ae4afd13f6d0589e4568354be271f86econfirmed

beecb33ef8adec99bbba3b64245c7230986c3c1a7f3246b0d26c641887387bfeconfirmed

fa45603334dae86cc72e356df9aa5e21151bb09ffabf86b8dbf5bf42bd2bbadfconfirmed

644c01322628adf8574d69afe25c4eb2cdc0bfa400e689645c2ab80becbacc33confirmed

d1e4d51024b0e25cfac56b1268e1de2f98f86225bbad913345806ff089508080confirmed

600ddacdf16559135f6e581d41b30d0867aae313fbaf66eb4d18345b2136cdd7confirmed

1efffd64f2215e2b574b9f8892bbb3ab6e0f98cf0684e479f1a67f0f521ec0feconfirmed

d843f31a1fb62ee49939940bf5a998472a9f92b23336affa7bccfa836fe299f5confirmed

efa2a0bbb69e60337b783db326b62c820b81325d39fb4761c9b575668411e12cconfirmed

ff4581d0c73bd526efdd6384bc1fb44b856120bc6bbf0098a1fa0de3efff900dconfirmed

b9cf1cba0f626668793b9624e55c76e2dab56893b21239523f2a2a0281844c6dconfirmed

e7581e1f112edc7e9fbb0383dd5780c4f2dd9923c4acc09b407f718ab6f7753dconfirmed

0c5cdbf6f043780dc5fff4b7a977a1874457cc125b4d1da70808bfa720022477confirmed

9e71d0fdb9874049f310a6ab118ba2559fc1c491ed93c3fd6f250c780e61b6ffconfirmed

440dd79e8e5906f0a73b80bf0dc58f186cb289b4edb9e5bc4922d4e197bce10cconfirmed

8085dae410e54bc0e9f962edc92fa8245a8a65d27b0d06292739458ce59c6ba1confirmed

41ee2947356b26e4d8aca826ae392be932cd8800476840713e9b6c630972604fconfirmed

6cb1e9850dd853880bbaf68ea23243bac9c430df576fa1e679d7f26d56785984confirmed

dd8c3824c8ffdbf1e16da8cee43da01d43f91ee3cc90a38f50a6cc8d6a778b57confirmed

3cd0689b2bae5109caedeb2cf9dd4b3a975ab277fadbbb26065e489565470a5cconfirmed

1322b5642e19586383e663613188b0cead91f30a0ab1004bf06f10d8b15daf65confirmed

b530de08530d1ba19a94bc075e74e2236c106466dedc92be3abdee9908e8cf7econfirmed

100c6400331fa1919958bed122b88f1599a61b3bb113d98b218a535443ebc3a7confirmed

8ff100ca86cb62117f1290e71d5f9c0519661d6c955d9fcfb71f0bbdf75b51b3confirmed

25f13dca780bafb0001d521ea6e76a3bd4dd74ce137596b948d41794ece59a66confirmed

79fe6576d0a26bd41f1f3a3a7bfeff6b5b7c867d624b004b21fadfdd49e6cb18confirmed

81617bd4fa5d6c1a703c40157fbe16c55c11260723b7f63de022fd5dd241bdbfconfirmed

02d74124957b6de4b087a7d12efa01c43558bf6bdaccef9926a022bcffcdcfeaconfirmed

800f9ffd063dd2526a4a43b7370a8b04fbb9ffeff9c578aa644c44947d367266confirmed

dcea917093643bc536191ff70013cb27a0519c07952fbf626b4cc5f3feee2212confirmed

cec26d8629c5f223a120677a5c7fbd8d477f9a1b963f19d3f1195a7f94bc194bconfirmed

6d4415a2cbedc960c7c7055626c61842b3a3ca4718e2ac0e3d2ac0c7ef41b84dconfirmed

09fc4219169ce7aac5e408c7f5c7bfde10df6e48868d7b470dc7ce41ee360723confirmed

f21290968b51b11516e7a86e301148e3b4af7bc2a8b3afe36bc5021086d1fab2confirmed

31e8a920822ee2a273eb91ec59f5e93ac024d3d7ee794fa6e0e68137734e0443confirmed

8b21e36aa81ace60c797ac8299c8a80f366cb0f3c703465a2b9a6dbf3e65861econfirmed

7975c09dd436fededd38acee9769ad367bfe07c769770bd152f33a10ed36529econfirmed

20f7e342a5f3224cab8f0439e2ba02bb051cd3e1afcd603142a60ac8af9699baconfirmed

db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471confirmed

446ce29f6df3ac2692773e0a9b2a973d0013e059543c858554ac8200ba1d09cfconfirmed

fc19a42c423aefb5fdb19b50db52f84e1cbd20af6530e7c7b39435c4c7248cc7confirmed

772b9b873100375c9696d87724f8efa2c8c1484853d40b52c6dc6f7759f5db01confirmed

5a162898a38601e41d538f067eaf81d6a038268bc52a86cf13c2e43ca2487c07confirmed

8f0b83d4ff6d8720e134b467b34728c2823c4d75313ef6dce717b06f414bdf5cconfirmed

41f155f039448edb42c3a566e7b8e150829b97d83109c0c394d199cdcfd20f9bconfirmed

49ecead98ebc750cf0e1c48fccf5c4b07fadef653be034cdcdcd7ba654f713afconfirmed

97c6c69405ed721a64c158f18ab4386e3ade19841b0dea3dcce6b521faf3a660confirmed

9c6a23e6662659b3dee96234e51f711dd493aaba93ce132111c56164ad02cf5econfirmed

040d20357cbb9e950a3dd0b0e5c3260b96b7d3a9dfe15ad3331c98835caa8c63confirmed

ff58189452668d8c2829a0e9ba8a98a34482c4f2c5c363dc0671700ba58b7beeconfirmed

4eb2dd5e90bda6da5efbd213c8472775bdd16e67bcf559f58802a8c371848212confirmed

18579d1cc9810ca0b5230e8671a16f9e65b9c9cdd268db6c3535940c30b12f9econfirmed

030b4525558f2c411f972d91b144870b388380b59372e1798926cc2958242863confirmed

b3235a703026b2077ccfa20b3dabd82d65c6b5645f7f15e7bbad1ce8173c7960confirmed

01b047e0f3b49f8ab6ebf6795bc72ba7f63d7acbc68f65f1f8f66e34de827e49confirmed

6a34f4ce012e52f5f94c1a163111df8b1c5b96c8dc0836ba600c2da84059c6adconfirmed

f618245e69695f6e985168f5e307fd6dc7e848832bf01c529818cbcfa4089e4aconfirmed

557c63737bf6752eba32bd688eb046c174e53140950e0d91ea609e7f42c80062confirmed

1491896d42eb975400958b2c575522d2d73ffa3eb8bdd3eb5af1c666a66aeb08confirmed

cbebafb2f4d77967ffb1a74aac09633b5af616046f31dddf899019ba78a55411confirmed

19b23f169606bd390581afe1b27c2c8659d736cbfa4c3e58ed83a287049522f6confirmed

f365a042fbf57ed2fe3fd75b588c46ae358c14441905df1446e67d348bd902bfconfirmed

b265a5d984c4654ac0b25ddcf8048d0aabc28e36d3e2439d1c08468842857f46confirmed

f7f2dd674532056c0d67ef1fb7c8ae8dd0484768604b551ee9b6c4405008fe6bconfirmed

85a263fc34883fc514be48da2d814f1b43525e63049c6b180c73c8ec00920f51confirmed

90e74b5d762fa00fff851d2f3fad8dc3266bfca81d307eeb749cce66a7dcf3e1confirmed

dfc420190ef535cbabf63436e905954d6d3a9ddb65e57665ae8e99fa3e767316confirmed

5c10b34e99b0f0681f79eaba39e3fe60e1a03ec43faf14b28850be80830722cbconfirmed

9ca3e56dcb2d1b92e88a0d09d8cab2207ee6d1f55bada744ef81e8b8cf155453confirmed

d844777dcafcde8622b9472b6cd442c50c3747579868a53a505ef2f5a4f0e26aconfirmed

URL27

http://122.248.34.23/lndex.php?t=Telegram&r=1.1.9confirmed

http://122.248.34.23/lndex.php?t=SkypeSetup&r=mail_newconfirmed

http://trade.publicvm.com/images/top_bar.gifconfirmed

http://skype.2.vu/1confirmed

https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-newconfirmed

https://mobile.twitter.com/darienhuss/status/943300245554958337confirmed

https://drive.google.com/uc?export=download&id=0B63J1WTZC49hdDR0clR3cFpITVEconfirmed

http://tinyurl.com/y9jbk8cgconfirmed

http://dogecoin.deaftone.com:8080/mainls.csconfirmed

http://201.211.183.215:8080/update.php?t=Skype&r=updateconfirmed

http://apps.got-game.org/files/download/transaction.pdfconfirmed

http://skype.2.vu/kconfirmed

http://www.energydonate.com/files/download/bithumb.zipconfirmed

http://www.energydonate.com/files/download/bithumb.pdfconfirmed

http://www.businesshop.net/hide.gifconfirmed

http://201.211.183.215:8080/pdfviewer.php?o=0&t=report&m=0confirmed

https://doc-00-64-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/39cbphg8k5qve4q5rr6nonee1bueiu8o/1499428800000/13030420262846080952/*/0B63J1WTZC49hX1JnZUo4Y1pnRG8?e=downloadconfirmed

http://www.energydonate.com/images/character.gifconfirmed

http://macintosh.linkpc.net:8080/mainls.csconfirmed

http://51.255.219.82/files/download/falconcoin.pdfconfirmed

http://51.255.219.82/theme.gifconfirmed

http://apps.got-game.org/images/character.gifconfirmed

http://skypeupdate.2.vu/1confirmed

http://51.255.219.82/files/download/falconcoin.zipconfirmed

http://92.222.106.229/theme.gifconfirmed

http://telegramupdate.2.vu/5confirmed

http://www.btc-gold.us/images/top_bar.gifconfirmed

SHA155

0d64b1157efb689f75a0c92d475e960ecd139304confirmed

537cf4311fb66b3740c0a1dc9ba073132d9e0d04confirmed

64dd3293e0273b2054a232afc9e7fcdda572e19cconfirmed

387887243c1436f37bcecb9671de375813e57fd2confirmed

903e3421a8cec914a41e851a31bd5a385f8d95b1confirmed

2437d58cbef0ea77e64b12529f8386c93563867econfirmed

32198a872923cd003ab11c75ed5369c979a7cb64confirmed

71786e3d42c7cc8059336f9c50f489fba3c443c9confirmed

88554b0b8066cb059f9fc06d2620d84737251a29confirmed

6f23666a209c80d3aa475f1382a065a818346339confirmed

be2e900c64cd985cde9e8515fb4e5b5d70c853f0confirmed

44a2d2e9b5d79a047470c4e61c1c4926cac8b656confirmed

b2204bb750842e3d9f4da914ad527a33efca7532confirmed

e57713866a28487098d6b735a55468a1570d00a1confirmed

d9476b3018be277da1aa2b03543166a1a8d1ff03confirmed

4b5efb3708096ab7aa1dd6d747cd6f53873991b6confirmed

fb17a710aa690d939d74a6687ae04787fb6324caconfirmed

dcc4e51730c0114f110405e3e42e721384969addconfirmed

cc90c650a08de597b12620627dd89cc83741a889confirmed

9cc396887f57d1d266644cbefed48f33880fb218confirmed

de201a51f96af1405f58ec02b7802088ecae6a2dconfirmed

55f56b74a65521a3524be9fe3ea8d30505704ab5confirmed

596cf05e9a3a7c0b3f279bf6964b353067390c82confirmed

46a1d019c1069a8da16224ba6e964d929f42f204confirmed

637bfa81f697cf24aca57523fc28891b5376605dconfirmed

74f4470f1c7705eee57dad4f4f31a0677497f4ebconfirmed

2ef42ad9c43fc58c48de409414568c27b904fd79confirmed

6993457347d2bcb3f606bf59eeb58a7bfe375577confirmed

688183a9b36993c6dcc93d7be7a3e96a364447c9confirmed

97936a1225622bf61f916c629882aab19ff1f1a6confirmed

2e344cb889843233ff54e95dd0c5956489d07b7dconfirmed

53b079072c81f7c879ea1f808c18dcd6134afc5cconfirmed

d0da8357705856e3527add4f5a8e6ccc6de35d9aconfirmed

3d34eb23728f443e930885e89485cfc78cc34e07confirmed

d851ff7b371d15bf03a670e45ec5df327406ab45confirmed

606caa1b754113bb064e015b2bffb3659e373ea8confirmed

2abfd795397a343596c9f95ecb721250f80eda61confirmed

a07dc261645c7b3ff5f37f5ae7ee0b629ab8f109confirmed

8fd089df71a5f48098dc41886631ea6604f108e9confirmed

50420970d17af649affaee6be801968aa4c01e46confirmed

770f800510bde5c8b051052e43f13fb0d0432883confirmed

8fe0adbc9024c6fa8872bfe30d71e780ca2e21a4confirmed

5d796909d5da1f6f86cfe37962cc9c69d76836c5confirmed

fd3991e274f2d8889b749c39f9f85e1f1b998790confirmed

033bf940b65c1a5247f22be6c8f9c4144ab9ef8cconfirmed

60fb33e965efb986f3549da6366fd4e27adb9ca5confirmed

234600a43a957672b8145ea6566f9613a1906899confirmed

9bd3283af048363d270fceae0bc4292dc50e5309confirmed

6ab10bd838f9b060f2380caafdea5ff09080f536confirmed

ef263466563037c4f358e6467157194eb0752bdfconfirmed

8e06f968126ea7ff4ef1123c07c7452256c2e8fcconfirmed

cf403afb93440c56532323e87e40d895b67ef6ccconfirmed

1983b60d923b01fcb14ba813532b2f41f2d6c2feconfirmed

786aad5a9df111dbc29d08b068894c17e663ff2fconfirmed

4a084d8245706683d4e4cd5797a2a9f35fa89749confirmed