North Korean hackers found to be using a trojanised version of IDA Pro to target cybersecurity researchers

A North Korean state sponsored hacking group known as Lazarus has been found to once again attempting to target cybersecurity researchers, this time using a trojanised version of the well-regarded IDA Pro reverse engineering software, coded by the malicious actors with backdoors and remote access trojans.   

ESET security researcher Anton Cherepanov disclosed the findings concerning the group last week in a series of tweets.  

IDA Pro is an interactive multi-platform, multi-processor disassembler programmed to translate machine executable code into assembly language source code. The software enables cybersecurity researchers to analyse the inner components of a program (including malicious components) and further uses include debugging, error detection and reverse engineering. Plug-ins can be designed, and the software supports a range of executables for various processers and operating systems.  

The cybersecurity firm stated that the “attackers bundled the original IDA Pro 7.5 software developed by [Hex-Rays] with two malicious components,” one of which is an internal component referred to as “win_fw.dll” that is performed during the installation of the malicious software. The second component which is referred to as “idahelper.dll” is then executed upon the user’s system from the IDA plugins folder. 

Post successful installation, the “idahelper.dll” then connects to a remote server at “www[.]devguardmap[.]org”, a domain notorious for being previously attached to a North Korean state endorsed campaign targeted towards security professionals, disclosed by Google’s Threat Analysis Group earlier in March 2021.  

The campaign involved the threat actors establishing a fraudulent security company known as SecuriElite as well as multiple social media accounts belonging to Twitter and LinkedIn in an effort to mislead targets into visiting the malware embedded website. Once visited, an exploit targeted towards a then zero-day flaw in Internet Explorer was programmed to be triggered. Microsoft later addressed this issue as part of a monthly Patch Tuesday update released in March 2021.  

The Lazarus Group has been active from as early as 2009, with the group being linked to a series of cyber attacks with the purpose of gathering sensitive information from breached systems and for financial gain.   

According to the 2021 Annual Threat Assessment published in April 2021 by the U.S Office of the Director of National Intelligence, “North Korea’s cyber program poses a growing espionage, theft, and attack threat.” 

Additionally included in the report “North Korea has conducted cyber theft against financial institutions and cryptocurrency exchanges worldwide, potentially stealing hundreds of millions of dollars, probably to fund government priorities, such as its nuclear and missile programs.”