"Lazarus Hackers Target Researchers With Trojanized IDA Pro"

Lazarus, the North Korean state-sponsored hacking group, is targeting security researchers with a trojanized pirated version of the popular IDA Pro reverse engineering application. IDA Pro converts an executable into assembly language, which allows security researchers and programmers to analyze a program's functioning and discover potential vulnerabilities. Security researchers commonly use IDA to analyze legitimate software for bugs and malware to determine what malicious behavior it performs. As IDA Pro is an expensive application, some researchers download a pirated cracked version of it. Any pirated software could contain malicious executables, which is what ESET researcher Anton Cherepanov discovered in a pirated version of IDA Pro distributed by the Lazarus hacking group. The malicious version of IDA Pro 7.5, discovered by Cherepanov, is being distributed online to target security researchers. The modified IDA installer includes two malicious DLLs that will be executed when the program is installed. The first DLL called win_fw.dll creates a new task in the Windows Task Scheduler that executes the second malicious DLL called idahelper.dll. The idahelper.dll program will then connect to a malicious site to download payloads suspected to be the NukeSped Remote Access Trojan (RAT). Using the installed RAT, threat actors can gain access to a security researcher's device to take screenshots, steal files, log keystrokes, and more. This article continues to discuss the Lazarus group's targeting of security researchers with a trojanized version of the IDA Pro reverse engineering application. 

Bleeping Computer reports "Lazarus Hackers Target Researchers With Trojanized IDA Pro"