Lazarus, a North Korean-affiliated state-sponsored group, is attempting to use a trojanized pirated version of the popular IDA Pro reverse engineering software to attack security researchers with backdoors and remote access trojans once again.
Last week, ESET security researcher Anton Cherepanov revealed the findings in a series of tweets.
IDA Pro is an Interactive Disassembler that translates machine language (aka executables) into assembly language, allowing security researchers to analyze the inner workings of a program whether it is malicious or not and function as a debugger to find errors.
ESET said, “Attackers bundled the original IDA Pro 7.5 software developed by [Hex-Rays] with two malicious components,” one of them is a “win fw.dll” internal module that runs during the application’s installation. This tamplered version is then used to load a second component called “idahelper.dll” from the system’s IDA plugins folder.
The “idahelper.dll” binary connects to a remote server at “www[.]devguardmap[.]org” to retrieve subsequent payloads after successful execution. The domain is especially notable because it was previously linked to a similar North Korean-backed campaign targeting at security professionals, which was revealed by Google’s Threat Analysis Group in March of this year.
In order to trick unsuspecting researchers into visiting the company’s malware-laced website and triggering an exploit that leveraged a then-zero-day in Internet Explorer browser, the adversaries set up a fake security company called SecuriElite, as well as a number of social media accounts across Twitter and LinkedIn. Microsoft eventually fixed the flaw in its March 2021 Patch Tuesday update.