A recent cyber campaign attributed to the Lazarus hackers from North Korea appears to have focused on a specific vendor’s software, which remains unidentified. It’s reported that these hackers exploited known vulnerabilities in widely-used software to compromise the company’s security.
Lazarus hackers targeted a software vendor
Kaspersky’s analysis reveals that the vulnerabilities were leveraged to create malware like SIGNBT and LPEClient. LPEClient is a widely-recognized hacking tool used for victim profiling and deploying additional malware.
Security researcher Seongsu Park commented, “The attackers exhibited advanced skills, employing evasion techniques and deploying the SIGNBT malware for victim control. This variant of SIGNBT utilizes a distinct infection chain and sophisticated methods.”
Kaspersky reported that the company behind the compromised software had suffered multiple Lazarus hacker attacks, suggesting source code theft or “poisoning” of the software supply chain, reminiscent of the 3CX supply chain attack.
The Lazarus hackers”they continued to exploit vulnerabilities in the company’s software while targeting other software makersPark added.
According to the company, the victims were targeted through a security software designed for web communication encryption using digital certificates. The software’s name was not disclosed, and the precise method of using it to distribute SIGNBT remains undisclosed.
Alongside employing diverse tactics for establishing and sustaining persistence in breached systems, their attack chain utilizes an in-memory loader as a conduit to initiate the SIGNBT malware.
The core function of SIGNBT is to establish communication with a remote server and fetch additional commands for execution on the compromised host computer.
Also, Windows backdoor has various features to exercise control over the victim’s system.
Kaspersky said it detected at least three different campaigns by Lazarus hackers in 2023, using a variety of attack vectors and infection processes, but consistently relied on the LPEClient malware to deliver malware final stage.
One such campaign paved the way for a new malicious implant codenamed Gopuram, which was used in attacks targeting cryptocurrency companies by leveraging a trojanized version of 3CX video conferencing software.
These recent discoveries represent the ongoing trend of cyber operations associated with North Korea. Simultaneously, they underscore the continuous evolution of tools, tactics, and techniques employed by the Lazarus hackers.
Park added, “The Lazarus Team continues to demonstrate high activity and adaptability in the current cybersecurity landscape.”
To safeguard against potential attacks from North Korea’s Lazarus group, several security precautions can be implemented. Among these, keeping software up-to-date with the latest patches and fixes is paramount. Since Lazarus Group attacks target known software vulnerabilities, regular updates can significantly mitigate the risk of an attack.
Furthermore, the enforcement of rigorous security policies is vital for defense against Lazarus Group attacks. These policies should encompass the implementation of robust password practices, restricted access to sensitive data, vigilant network activity monitoring, and the prompt identification and resolution of software vulnerabilities.