Through the “Lazarus Group Uses the DLL Side-Loading Technique” blog post, AhnLab Security Intelligence Center(ASEC) has previously covered how the Lazarus group used the DLL side-loading attack technique using legitimate applications in the initial access stage to achieve the next stage of their attack process. This blog post will cover the added DLL variants and their verification routine for the targets. The Lazarus group is an APT group that targets South Korean companies, institutions, think tanks, and others. On January 12, 2024, a new legitimate program for DLL side-loading (T1574.002 Hijack Execution Flow: DLL side-loading), a technique commonly used by the Lazarus group to execute malware, was discovered through AhnLab Smart Defense (ASD).
Disclaimer: This article is part of X-Force OSINT Advisories’ automated collection to enable faster integration of open-source articles to client environments. All credit and copyright goes to the original authors.
Reference: https://asec.ahnlab.com/en/60792/
Sample Indicators of Compromise:
edca71eda8650a2c591c37c780b6a0c521def97a3c5b95df1e1aeb6486881656
