fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Lazarus Hackers Target Researchers with Trojanized IDA Pro

Lazarus Hackers Target Researchers with Trojanized IDA Pro

A North Korean state-sponsored hacking group known as Lazarus is again trying to hack security researchers, this time with a trojanized pirated version of the popular IDA Pro reverse engineering application.

IDA Pro is an application that converts an executable into assembly language, allowing security researchers and programmers to analyze how a program works and discover potential bugs.

Security researchers commonly use IDA to analyze legitimate software for vulnerabilities and malware to determine what malicious behavior it performs.

However, as IDA Pro is an expensive application, some researchers download a pirated cracked version instead of purchasing it.

As with any pirated software, there is always the risk of it being tampered modified to include malicious executables, which is precisely what ESET researcher Anton Cherepanov discovered in a pirated version of IDA Pro distributed by the Lazarus hacking group.

Also Read: Data Minimization; Why Bigger is Not Always Better

Trojanized IDA Pro targets security researchers

Today, ESET tweeted about a malicious version of IDA Pro 7.5 discovered by Cherepanov that is being distributed online to target security researchers.

This IDA installer has been modified to include two malicious DLLs named idahelp.dll and win_fw.dll that will be executed when the program is installed.

Malicious DLLs added to pirated IDA Pro
Malicious DLLs added to pirated IDA Pro
Source: ESET

The win_fw.dll file will create a new task in the Windows Task Scheduler that launches the idahelper.dll program.

Also Read: Vulnerability Management For Cybersecurity Dummies

New SRCheck scheduled task created by win_fw.dll
New SRCheck scheduled task created by win_fw.dll
Source: ESET

The idahelper.dll will then connect to the devguardmap[.]org site and download payloads believed to be the NukeSped remote access trojan. The installed RAT will allow the threat actors to gain access to the security researcher’s device to steal files, take screenshots, log keystrokes, or execute further commands.

“Based on the domain and trojanized application, we attribute this malware to known Lazarus activity, previously reported by Google’s Threat Analysis Group and Microsoft,” ESET tweeted regarding connection to Lazarus.

Cherepanov told BleepingComputer that while he does not know how the installer is being distributed, it was discovered recently and appears to have been distributed since Q1 2020

Lazarus has a history of targeting researchers

The Lazarus hacking group, also known as Zinc by Microsoft, has a long history of targeting security researchers with backdoors and remote access trojans.

In January, Google disclosed that Lazarus conducted a social media campaign to create fake personas pretending to be vulnerability researchers.

Fake online security researcher personas
Fake online security researcher personas

Using these personas, the hacking group would contact other security researchers about potential collaboration in vulnerability research.

After establishing contact with a researcher, the hackers would send Visual Studio projects related to an alleged ‘vulnerability,’ which contained a malicious hidden DLL named ‘vcxproj.suo.’

When the researcher attempted to build the project, a pre-build event would execute the DLL, which acted as a custom backdoor installed on the researcher’s device.

Other Lazarus attacks also used an Internet Explorer zero-day to deploy malware on security researcher’s devices when they visited links sent by the attackers.

Exploiting the Lazarus zero-day in Internet Explorer
Exploiting the Lazarus zero-day in Internet Explorer

While it was never determined what the ultimate goal was for these attacks, it was likely to steal undisclosed security vulnerabilities and exploits that the hacking group could use in their own attacks.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us