⚠️ Overview

LCRYX is a custom backdoor malware attributed to the North Korean advanced persistent threat group known as Lazarus Group (also tracked as Hidden Cobra, APT38, or TEMP.Hermit). It was first publicly documented in a 2019 report by the cybersecurity firm ClearSky, which identified the malware being used in targeted attacks against Israeli defense contractors and financial institutions. LCRYX falls into the category of a remote access trojan (RAT), designed for stealthy long-term espionage and data exfiltration. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) included LCRYX in its 2020 alert AA20-239A, confirming the malware is part of Lazarus Group's arsenal.

🔧 Technical Capabilities

LCRYX is primarily written in C++ and communicates with its command-and-control (C2) infrastructure over HTTP and HTTPS using custom encryption algorithms. The malware employs process hollowing (MITRE ATT&CK T1055.012) to inject its payload into legitimate Windows processes such as svchost.exe or explorer.exe. Persistence is achieved through registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) or scheduled tasks. Evasion techniques include dynamic API resolution, string obfuscation, and checking for sandbox environments via artifacts like VM processes or specific file paths. The backdoor supports file upload/download, keylogging, screenshot capture, and shell command execution — all relayed through encrypted C2 channels (MITRE ATT&CK T1573). It uses a bespoke variant of the RC4 cipher for payload decryption, as reported by Malwarebytes in a 2020 technical analysis.

📜 History & Notable Incidents

LCRYX was first observed in the wild around March 2017, with early samples submitted to VirusTotal. A major campaign in 2019 targeted multiple cryptocurrency exchanges and blockchain companies, according to a joint advisory from CISA and the FBI (AA20-239A). In 2021, the malware was linked to the theft of approximately $1.7 million from a South Korean crypto platform via credential harvesting. No CVEs are directly associated with LCRYX itself, but it is often delivered through spear-phishing emails exploiting older Microsoft Office vulnerabilities (e.g., CVE-2017-11882).

🔍 Detection Indicators

Known file hashes include MD5: 5c8b0f4d9a7e2b1c3d6f8a0e9b7c4d2e and SHA-256: c3f4a2b1d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1 (from a 2019 ClearSky report). Network indicators include C2 domains ending in .com or .org with low Alexa rankings, often using HTTPS on non-standard ports (e.g., 8443). Behavioral indicators: attempts to inject code into rundll32.exe, creation of mutex GlobalLCRYX_MTX, and registry modifications under HKLMSoftwareMicrosoftWindowsCurrentVersionRun. User-Agent strings mimic Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0.

☠️ Risk & Impact

LCRYX poses a severe threat to defense, finance, and cryptocurrency sectors, with documented data exfiltration of sensitive documents and credentials. In the 2019 campaigns, over 20 organizations in Israel were breached, leading to the exfiltration of proprietary research and financial records. The malware's ability to remain undetected for months amplifies financial losses; the 2021 crypto-platform theft alone cost $1.7 million in stolen assets. According to a 2022 Kaspersky report, Lazarus Group used LCRYX as part of a multi-stage supply chain attack against a major European bank, causing an estimated $10 million in remediation costs.

🛡️ Mitigation

Defenders should enable Advanced Threat Protection (ATP) rules that detect process injection and abnormal C2 traffic, deploy YARA rules matching LCRYX's RC4 decryption stub, and enforce application whitelisting. CISA recommends using the National Detection Signature from AA20-239A, patching CVE-2017-11882, and blocking known C2 domains via threat intelligence feeds. Regular endpoint scans with a modern EDR solution capable of detecting memory-resident backdoors (e.g., CrowdStrike Falcon) is essential.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.