Your IDA may have a backdoor!

On November 10, 2021, foreign security manufacturer ESET exposed an attack activity by the North Korean APT organization Lazarus:

ESET noted that the Lazarus group used IDA Pro 7.5 software with two backdoor files to target security researchers.

IDA (Interactive Disassembler) is a world-class disassembly tool released by Hex-Rayd. It is often used by security researchers at home and abroad for binary analysis and reverse engineering.

ESET introduced that the attacker replaced the internal component win_fw.dll that is executed during the installation of IDA Pro with a malicious DLL file. The malicious win_fw.dll will create a Windows scheduled task that will launch a second one from the IDA plug-in folder. Malicious component idahelper.dll

After startup, idahelper.dll will try to download and execute the next stage of payload from the specified address.

Students who have the leaked version of IDA are asked to check it themselves.

win_fw.dll

A8EF73CC67C794D5AA860538D66898868EE0BEC0

idahelper.dll

DE0E23DB04A7A780A640C656293336F80040F387

Regularly capture traffic packets locally to check whether there is access to the domain name used by related attacks: devguardmap[.]org

Currently, this sample has also been released:

https://github.com/blackorbird/APT_REPORT/tree/master/lazarus/sample

https://www.virustotal.com/gui/file/fe80e890689b0911d2cd1c29196c1dad92183c40949fe6f8c39deec8e745de7f/detection

In addition, it is currently not ruled out whether the MAC version of IDA has similar problems. Students who use the cracked version should check it themselves.

In fact, this type of attack specifically targeting security personnel is no longer a rare event. There have been reports of social engineering attacks targeting security researchers through social media before. It can only be said that as a security personnel, your own security protection You must also do your best and improve your safety awareness, otherwise your efforts will be "seen" by others!