Using a trojanized unlicensed version of the famous IDA Pro reverse engineering program, Lazarus, a North Korean-affiliated state-sponsored gang, is once again attempting to attack security researchers with backdoors and remote access trojans. Last week, ESET security researcher Anton Cherepanov revealed the results in a series of tweets.
IDA Pro is an Interactive Disassembler that converts machine language (aka executables) into assembly language, allowing security researchers to inspect the inner workings of a program (malicious or not) and serve as a debugger to find flaws.
According to the Slovak cybersecurity firm, the original IDA Pro 7.5 program built by [Hex-Rays] included two malicious components. The first one is an internal module named “win fw.dll,” which is run during program installation. This altered version is then used to load a second component called “idahelper.dll” from the system’s IDA plugins folder.
The “idahelper.dll” program connects to a remote server at “www[.]devguardmap[.]org” to obtain further payloads after successful execution. The domain is especially significant since it was previously related to a similar North Korean-backed effort targeting security experts, revealed by Google’s Threat Analysis Group in March.
According to the United States Office of the Director of National Intelligence’s 2021 Annual Threat Assessment, North Korea’s cyber program poses an increasing threat of espionage, attack, and theft.
North Korea has carried out cyber-attacks on financial institutions and cryptocurrency exchanges throughout the world, possibly stealing several millions of dollars to support government priorities, including nuclear and missile projects.