SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lpeclient (Back to overview)

LPEClient

aka: LPEClientTea

Actor(s): Lazarus Group

LPEClient is an HTTP(S) downloader that expects two command line parameters: an encrypted string containing two URLs (a primary and a secondary C&C server), and the path on the victim's file system to store the downloaded payload.

It sends detailed information about the victim's environment, like computer name, type and number of processors, computer manufacturer, product name, major and minor Windows versions, architecture, memory information, installed security software and the version of the ntoskrnl.exe from its version-information resource.

LPEClient uses specific 32-bit values to represent its execution state (0x59863F09 when connecting via the WinHTTP interface, 0xA9348B57 via WinINet), or the nature of HTTP requests to the C&C servers (0xF07D6B34 when sending system information, 0xEF8C0D51 when requesting a DLL payload, 0xCB790A25 when reporting the successful loading of the DLL, 0xD7B20A96 when reporting the state of the the DLL execution). As the final step, malware looks for the export CloseEnv and executes it.

References
2023-10-27KasperskySeongsu Park
@online{park:20231027:cascade:444482f, author = {Seongsu Park}, title = {{A cascade of compromise: unveiling Lazarus’ new campaign}}, date = {2023-10-27}, organization = {Kaspersky}, url = {https://securelist.com/unveiling-lazarus-new-campaign/110888/}, language = {English}, urldate = {2023-11-13} } A cascade of compromise: unveiling Lazarus’ new campaign
LPEClient PostNapTea
2023-04-12Kaspersky LabsSeongsu Park
@online{park:20230412:following:851b624, author = {Seongsu Park}, title = {{Following the Lazarus group by tracking DeathNote campaign}}, date = {2023-04-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-lazarus-group-deathnote-campaign/109490/}, language = {English}, urldate = {2023-11-27} } Following the Lazarus group by tracking DeathNote campaign
Bankshot BLINDINGCAN ForestTiger LambLoad LPEClient MimiKatz NedDnLoader Racket Downloader Volgmer
2021-10-08Virus BulletinSeongsu Park
@techreport{park:20211008:multiuniverse:87fc078, author = {Seongsu Park}, title = {{Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections}}, date = {2021-10-08}, institution = {Virus Bulletin}, url = {https://vblocalhost.com/uploads/VB2021-Park.pdf}, language = {English}, urldate = {2023-07-24} } Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections
Dacls AppleJeus AppleJeus Bankshot BookCodes RAT Dacls DRATzarus LCPDot LPEClient
2021-10-07Virus BulletinTaewoo Lee, Dongwook Kim, Byeongjae Kim
@techreport{lee:20211007:operation:0e74d68, author = {Taewoo Lee and Dongwook Kim and Byeongjae Kim}, title = {{Operation Bookcodes – targeting South Korea}}, date = {2021-10-07}, institution = {Virus Bulletin}, url = {https://vblocalhost.com/uploads/VB2021-Lee-etal.pdf}, language = {English}, urldate = {2023-07-24} } Operation Bookcodes – targeting South Korea
BookCodes RAT LPEClient
2021-02-25Kaspersky LabsVyacheslav Kopeytsev, Seongsu Park
@online{kopeytsev:20210225:lazarus:c887c21, author = {Vyacheslav Kopeytsev and Seongsu Park}, title = {{Lazarus targets defense industry with ThreatNeedle}}, date = {2021-02-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-threatneedle/100803/}, language = {English}, urldate = {2023-07-24} } Lazarus targets defense industry with ThreatNeedle
HTTP(S) uploader LPEClient Volgmer
2020-08-13ClearSkyClearSky Research Team
@techreport{team:20200813:operation:429bf86, author = {ClearSky Research Team}, title = {{Operation ‘Dream Job’ Widespread North Korean Espionage Campaign}}, date = {2020-08-13}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf}, language = {English}, urldate = {2023-09-07} } Operation ‘Dream Job’ Widespread North Korean Espionage Campaign
DRATzarus LPEClient NedDnLoader

There is no Yara-Signature yet.