Lazarus group was noticed exploiting flaws in unnamed software program to realize entry to a South Korean finance agency twice final yr.
The North Korea-linked group had infiltrated the affected firm in Might 2022 and once more in October by way of the identical software program’s zero-day vulnerability, in response to a analysis by AhnLab Safety Emergency Response Middle (ASEC).
ASEC reported the software program in query to the Korean Web and Safety Company for the reason that vulnerability has not been totally verified but and a software program patch has not been launched. The report due to this fact doesn’t title the affected software program.
In the course of the infiltration in Might 2022, the affected monetary firm was utilizing a weak model of a certificates program that was generally utilized by public establishments and universities. After the incident, the corporate up to date all their software program to the most recent variations. Nevertheless, the Lazarus group used the identical software program’s zero-day vulnerability to hold out their infiltration the second time, ASEC mentioned in its analysis.
BYOVD assault
To disable safety merchandise on contaminated machines and to take advantage of the software program’s weak driver kernel modules, the Lazarus group used the Carry Your Personal Weak Driver (BYOVD) approach.
In BYOVD assaults, menace actors use legitimately signed, however weak, drivers to carry out malicious actions on methods. The attacker can use the vulnerabilities within the drivers to execute malicious actions with kernel-level privileges.
The zero-day vulnerability that was exploited by the menace actors was of a certificates software program that’s generally utilized in Korea.
“Since most of these software program usually are not up to date robotically, they have to be manually patched to the most recent model or deleted if unused,” ASEC mentioned within the analysis.
To additional conceal malicious actions the Lazarus group both modified file names earlier than deleting them or modified timestamps utilizing an anti-forensic approach, ASEC mentioned in its analysis.
The assault resulted in a number of backdoor payloads being put in into the infect methods that related to distant command-and-control servers and retrieved further binaries that could possibly be executed.
“As a substitute of taking solely post-attack measures, steady monitoring is required to forestall recurrences,” ASEC mentioned within the analysis.
Actions of Lazarus group
The Lazarus group has been energetic since 2009 and is a North Korean state-sponsored menace group that has been attributed to the Reconnaissance Basic Bureau—North Korea’s intelligence company. Probably the most notable assaults by the group embrace the 2014 assault towards Sony Photos Leisure, whereby the group deployed the “wiper” to delete delicate firm knowledge. In a 2016 assault, the group stole thousands and thousands of {dollars} from Bangladesh’s central financial institution.
The group has been seen concentrating on the cryptocurrency sector as nicely in current instances. Earlier this week, the FBI confirmed that the Lazarus group was chargeable for Concord Horizon Bridge foreign money theft. Concord Horizon had reported a theft of $100 million of digital foreign money in June 2022.
The group, which is being tracked by a number of safety researchers, has been updating a number of techniques, strategies and procedures in addition to introducing new payloads. Final month, a payload of the Wslink downloader named WinorDLL64 was attributed to the Lazarus group by ESET researchers. This payload can be utilized to hold out file manipulation, execution of additional code, and acquire in depth details about the underlying system that may be leveraged later for lateral motion.
The group can also be recognized to have focused numerous Korean firms associated to nationwide protection, satellites, software program, and press within the final two years, in response to ASEC.
“The Lazarus group is researching the vulnerabilities of varied different software program and are continuously altering their TTPs by altering the best way they disable safety merchandise and perform anti-forensic strategies to intrude or delay detection and evaluation with a purpose to infiltrate Korean establishments and firms,” the ASEC report mentioned.
Copyright © 2023 IDG Communications, Inc.
