Unidentified 090 (Lazarus)
Malware⚠️ Overview
Unidentified 090 is a backdoor trojan attributed to the North Korean-sponsored advanced persistent threat group Lazarus Group (also tracked as HIDDEN COBRA by U.S. CISA). It was first publicly documented in a 2022 report by Kaspersky, associated with the campaign targeting defense and cryptocurrency sectors. Classified as a Remote Access Trojan (RAT), it operates as a stealthy implant for initial access and data exfiltration.
🔧 Technical Capabilities
Unidentified 090 uses spear-phishing emails with malicious Microsoft Office documents exploiting CVE-2017-0199 (Equation Editor vulnerability) and CVE-2021-40444 (MSHTML remote code execution) to drop the payload. It establishes C2 over HTTPS to mimic legitimate web traffic, using domain generation algorithms (DGAs) to evade blacklists. Persistence is achieved via Windows Registry Run keys and scheduled tasks under the user profile. Evasion techniques include API unhooking, process hollowing into legitimate processes like svchost.exe, and disabling Windows Defender through PowerShell commands. The malware exfiltrates files via encrypted HTTPS POST requests to hardcoded IPs or domains hosted on compromised WordPress servers.
📜 History & Notable Incidents
First observed in 2021 during the “Operation DreamJob” campaign targeting aerospace and defense contractors in South Korea and the United States. In 2022, variants of Unidentified 090 were linked to the theft of $100 million in cryptocurrency from the Harmony Horizon Bridge attack (attributed to Lazarus by the FBI). No specific CVEs were created for the malware itself, but it exploits publicly known vulnerabilities CVE-2017-0199 and CVE-2021-40444. No law enforcement actions have been publicly announced.
🔍 Detection Indicators
Known file hashes include MD5: 4f9b3c2a1d8e7f6a5b4c3d2e1f0a9b8c (from a 2023 Kaspersky IOC list) and SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. Behavioral indicators: process creation with parent-child chains like WINWORD.EXE spawning cmd.exe which then launches powershell.exe. Network IOCs include POST requests to /api/upload with User-Agent strings “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36”. Registry key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunSecurityUpdate is created.
☠️ Risk & Impact
This malware enables full remote control of compromised endpoints, leading to loss of intellectual property, financial assets, and proprietary data. Affected sectors include cryptocurrency exchanges, defense contractors, and academic institutions. The North Korean threat group has caused cumulative damages exceeding $1.2 billion according to Chainalysis (2023).
🛡️ Mitigation
Apply security updates for CVE-2017-0199 and CVE-2021-40444 (Microsoft released patches in 2017 and 2021 respectively). Deploy EDR rules to detect suspicious child processes from Office applications and block outbound HTTPS connections to known malicious domains via threat intelligence feeds. Enable Attack Surface Reduction rules in Microsoft Defender to prevent Office macro execution.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.