Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Lazarus Group Targets South Korea via Supply Chain Attack

The North Korea-linked threat actor known as Lazarus has been targeting users in South Korea through a supply chain attack that involves software typically required by government and financial organizations, ESET reported on Monday.

The North Korea-linked threat actor known as Lazarus has been targeting users in South Korea through a supply chain attack that involves software typically required by government and financial organizations, ESET reported on Monday.

Lazarus is the most well known hacker group that is believed to be operating on behalf of the North Korean government, with attacks ranging from espionage to profit-driven operations. Unsurprisingly, many of the group’s operations are aimed at South Korea, including an interesting attack that was observed in recent months by ESET.

The campaign, believed to be part of an operation dubbed BookCodes by the Korea Internet & Security Agency, has been linked to Lazarus based on various aspects, including the malware used in the attacks, victimology, and the infrastructure leveraged by the attackers.

According to ESET, the hackers have targeted WIZVERA VeraPort, a piece of software that users need in order to be able to access services provided by some government and banking websites in South Korea.

The cybersecurity firm’s researchers believe the hackers haven’t actually compromised WIZVERA systems, and instead they have targeted the websites that use the software.

The attackers compromise web servers with VeraPort support and configure them to serve a malicious file instead of legitimate software. The malicious file is served when a user who has the VeraPort software installed visits the website associated with the compromised server.

For the attack to work, the hackers needed to sign their malware and in some cases they achieved this by abusing code-signing certificates issued to companies that provide physical and cyber security solutions.

The attackers initially push a signed downloader, followed by a dropper, a loader, another downloader, and then the final payload. The final payload is a RAT that allows the attackers to perform various activities on the compromised device, including to download and execute other malware.

Advertisement. Scroll to continue reading.

ESET noted that for the attack to succeed, the targeted web server needs to be configured in a certain way, which is why its experts say this malware delivery method has only been used in limited Lazarus operations.

“Attackers are particularly interested in supply-chain attacks, because they allow them to covertly deploy malware on many computers at the same time,” ESET researchers explained. “We can safely predict that the number of supply-chain attacks will increase in the future, especially against companies whose services are popular in specific regions or in specific industry verticals.”

ESET has published a blog post detailing the attacks and it has also shared some indicators of compromise (IoCs) to help organizations detect attacks.

Related: IoT Devices at Major Manufacturers Infected With Malware via Supply Chain Attack

Related: Avast Discloses New Supply-Chain Attack Attempt

Related: Cybersecurity Threats to the Food Supply Chain

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...