The Lazarus Group (aka Hidden Cobra, Labyrinth Chollima, Zinc, Guardians of Peace) is a threat actor group that has been attributed to the Democratic People’s Republic of Korea (DPRK). Lazarus Group’s targeting closely aligns with North Korean economic and geopolitical interests, which are primarily motivated by financial gain as a method of circumventing international sanctions. In recent years, however, Lazarus Group has further expanded its operations to target the defense and aerospace industries.
Lazarus Group operations are characterized by their use of custom and commodity malware for financial, espionage, and disruptive purposes. HYAS has previously observed Lazarus Group campaign infrastructure being used against targets in the US, Israel and other countries as part of our ongoing work to provide additional telemetry and where possible, advanced warning to our clients.
HYAS Intelligence Services analysts were able to uncover additional domains attributable to the same registrant behind the Command and Control (C2) domain tronslogshipping[.]com. [2]
Using HYAS Insight, analysts can take a known C2 domain and pivot off it to uncover additional related domains, registration details and observables. In this case, when pivoting off the Lazarus C2 domain tronslog[.]com/public/appstore.php in HYAS Insight, five additional domains attributable to the same registrant were identified. While these domains have yet to be confirmed to be malicious, it is worthwhile for security practitioners to monitor them for potential, future malicious activity, given their association.
Starting with a single piece of incident data, we were able to discover additional domains and observables in an adversary’s campaign infrastructure using HYAS Insight. This approach provides security practitioners with future visibility into potentially malicious domains that have not yet been added into IOC watch lists, and allows companies to better protect themselves with enhanced situational awareness.