Detecting Trojanized IDA Pro Installers Distributed by Lazarus Hackers

The infamous Lazarus APT strikes again, with security professionals being under attack during the most recent campaign. State-sponsored actor leverages a pirated version of the widely-used IDA Pro reverse engineering application to compromise researchers’ devices with backdoors and remote access Trojans (RATs).

NukeSpeed RAT Delivered via Trojanized IDA Pro 

According to the research by ESET, Lazarus hackers are taking advantage of the frugality of some security practitioners who tend to use cracked versions of the legitimate software not to pay for it. This time adversaries baited their victims with a pirated version of the IDA Pro app frequently used by security experts for debugging purposes. 

Threat actors laced the IDA Pro 7.5 version with two malicious DLLs (idahelp.dll and win_fw.dll) aimed at NukeSpeed RAT delivery. The DLLs execute during the installation process and create a special task via the Windows Task Scheduler to download the NukeSpeed payload. Upon execution, the Lazarus group leverages the RAT to grab sensitive data from the researchers’ machines, take screenshots, log keystrokes, and execute a batch of other malicious commands.

Currently, it is unclear how the malware-laced app is being distributed, yet ESET believes the campaign has been ongoing since early 2020.

Lazarus APT

Lazarus advanced persistent threat (APT) is a notorious hacker collective working on behalf of the North-Korean government. The group has been extremely active since 2009, launching sophisticated malicious campaigns aimed at the financial gain and political interventions. Multiple ground-breaking security incidents are associated with this threat actor, including the Sony Pictures breach, Bangladesh Central Bank heist, and WannaCry attack. 

Cybersecurity experts are among the key targets for Lazarus hackers. For example, in January 2021, Lazarus APT launched a malicious operation that used a fake blog and a broad network of fake social media accounts to infect threat hunting enthusiasts with malware. 

Trojanized IDA Pro Detection

To prevent Lazarus attacks and detect possible malicious activity associated with trojanized version of the IDA Pro app, you can download a set of curated Sigma rules already available in the SOC Prime platform. All detections are directly mapped to the MITRE ATT&CK® framework and contain the corresponding references and descriptions:

Trojanized IDA Pro Installer

Trojanized IDA Pro (via dns)

Lazarus Hackers Targeting Security Researchers with Trojanized IDA Pro

Trojanized IDA Pro installer Distributed by the Lazarus APT Group (via Process Creation)

Trojanized IDA Pro Installer, Distributed by the Lazarus APT Group

Explore SOC Prime’s Detection as Code platform to defend against attacks faster and more efficiently than ever. Instantly hunt for the latest threats within 20+ supported SIEM XDR technologies, boost the awareness of all the latest attacks in the context of exploited vulnerabilities and MITRE ATT&CK matrix, and streamline your security operations, while getting anonymized feedback from the global cybersecurity community. Enthusiastic to craft your own Sigma rules and get money for your contribution? Join our Threat Bounty Program!

Go to Platform Join Threat Bounty