Trojanized IDA Pro utilised by Lazarus Hackers for their attacks

December 21, 2021
Trojanized IDA Pro Lazarus Hackers CyberAttacks Trojan Virus

Currently, the North Korean backed malicious Lazarus hackers are retargeting security researchers, and this time, they are using a trojanized version of the IDA pro reverse engineering application.

IDA Pro is a reverse engineering application that transfigures executables into an assembly language, enabling programmers and cybersecurity researchers to study how a program functions and discover potential vulnerabilities.

Cyber security researchers usually utilise the IDA Pro to examine legit software for malware and vulnerabilities to identify what malicious activity it operates. However, IDA Pro does not come at low prices, so many researchers download pirated cracked versions instead of paying vast amounts of money.

Unfortunately, when it comes to any pirated software, there is always the existence of risk. Some of the risks can be tampering modified to include malicious executables. A specific researcher did discover the same risk inside the pirated IDA Pro used by the Lazarus hacking group.

Lazarus, equipped with trojanized IDA pro, set their sights on cybersecurity researchers.

Recent discovery shows that a malicious version of IDA Pro 7.5 was distributed online, allegedly by the Lazarus group, to target cybersecurity researchers.  The IDA Pro 7.5 installer has been modified to append two compromised DLLs coded as ‘win_fw[.]dll’ and ‘idahelper[.]dll’ that will be executed when the program is successfully installed.

The ‘win_fw[.]dll’ file will develop a new task inside the Windows Task Scheduler to launch the ‘idahelper[.]dll’ program. Then, the ‘idahelper[.]dll’ connects to the ‘devguardmap[.]org’ website to download malicious payloads speculated to be the NukeSped RAT. The downloaded remote accessed trojan will enable the malicious threat actors to access the cybersecurity researcher’s devices to exfiltrate files, log keystrokes, execute further commands, and take screenshots.

 

Lazarus hackers has a long-time beef against cybersecurity researchers.

 

The North Korean Lazarus gang has a long history of target locking cybersecurity researchers with RATs and backdoors. Last January, Google revealed that the Lazarus group executed a social media campaign to develop a fraud persona that pretends to be cybersecurity researchers.

Lazarus would contact other cybersecurity researchers to collaborate on future malware and vulnerabilities research using this fraudulent act.

However, it was never known what the Lazarus group wanted to achieve in their attack. Still, researchers believed it would likely steal hidden security vulnerabilities and exploits that the hacking group could utilise in their more significant future projects.

About the author

Leave a Reply