Design a site like this with
Get started

Lazarus group leverages Covid themed HWP Document

Lazarus Group, a North Korean nation-state sponsored threat actor serves as an umbrella for several subgroups and has extensive operations as early as 2009.

Lazarus is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions, as well as some of the world’s largest cyber heists. Based on widely publicized operations alone, the group has attempted to steal more than $1.1 billion. Instead of simply obtaining accesses and moving to transfer funds as quickly as possible, Lazarus is believed to operate more similarly to an espionage operation, carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems. 

In a recent campaign, Lazarus if using Covid themed HWP documents targeting South Korea.

One of executables uploaded from SouthKorea to Virustotal repository a matched a yara rule for detecting Reflective Loader. This sample caught my attention since it was Covid themed HWP document and found to be used Lazarus group.

Intelligence Analysis:

With OSINT investigation, found that the executable is downloaded from sofa[.]rs through a HWP document 전라남도 코로나바이러스 대응 긴급 조회.hwp (translation: Urgent inquiry for Coronavirus in Jeollanam-do). Jeollanam-do is a province of South Korea. This may indicate the most probable target is South Korea. 

The code pattern has genes from various known malware including Petya, Trickbot, Gandcrab also contains genes from admin tools like TeamViewer and Dameware. 

Code genes matches

Malware Analysis:

Notable features of executable: 

  • Reads Clipboard data
  • Logs Keystrokes
  • Contains killswitch to choose victims
  • Highly obfuscated file
  • Detects sandbox environment to evade detection 
  • Contains functionality for execution timing, often used to detect debuggers 
  • Contains long sleeps
  • Contains functionality to check if a debugger is running (IsDebuggerPresent)

Embedded Domains:

  • kingsvc[.]cc
  • mbrainingevents[.]com
  • afuocolento[.]it

Process flow:

Process flow

Indicators of Compromise (IoCs):












Indicators of Attacks (IoAs):

  • Execution: T1047: Windows Management Instrumentation
  • Execution: T1106: Execution through API
  • Persistence: T1138: Application Shimming
  • Privilege Escalation: T1138: Application Shimming 
  • Defense Evasion: T1036: Masquerading 
  • Defense Evasion: T1045: Software Packing
  • Defense Evasion: T1497: Virtualization/Sandbox Evasion
  • Defense Evasion: T1140: Deobfuscate/Decode Files or Information
  • Defense Evasion: T1027: Obfuscated Files or Information
  • Credential Access: T1056: Input Capture 
  • Discovery: T1124: System Time Discovery
  • Discovery: T1497: Virtualization/Sandbox Evasion
  • Discovery: T1057: Process Discovery
  • Discovery: T1087: Account Discovery
  • Discovery: T1033: System Owner/User Discovery 
  • Discovery: T1063: Security Software Discovery
  • Discovery: T1082: System Information Discovery 
  • Lateral Movement: T1105: Remote File Copy
  • Collection: T1056: Input Capture
  • Collection: T1115: Clipboard Data
  • Exfiltration: T1022: Data Encrypted
  • Command and control: T1032: Standard Cryptographic Protocol

Yara Rule:

import “pe”

rule ReflectiveLoader {


      description = “Detects a unspecified hack tool, crack or malware using a reflective loader – no hard match – further investigation recommended”

      reference = “Internal Research”

      score = 60


      $s1 = “ReflectiveLoader” fullword ascii

      $s2 = “ReflectivLoader.dll” fullword ascii

      $s3 = “?ReflectiveLoader@@” ascii


      uint16(0) == 0x5a4d and (

            1 of them or

            pe.exports(“ReflectiveLoader”) or

            pe.exports(“_ReflectiveLoader@4”) or





  • VirusTotal
  • Intezer Analyze™



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: