Lazarus Group Used Supply Chain Attack to Target South Korean Users with Malware

mood · Nov 16, 2020

Lazarus Group Used Supply Chain Attack to Target South Korean Users with Malware
ESET researchers uncover a novel Lazarus supply-chain attack leveraging WIZVERA VeraPort software
November 16, 2020
https://www.tripwire.com/state-of-s...ck-to-target-south-korean-users-with-malware/

The Lazarus group leveraged a supply chain attack to target users located in South Korea with custom malware.

On November 16, ESET disclosed that the Lazarus group conducted its supply chain attack by abusing WIZVERA VeraPort. This application helps users in South Korea manage the installation of additional computer security software when they visit a government portal or banking website that requires it.
Users sometimes can’t access a site’s resources unless they have WIZVERA VeraPort installed on their devices.
Click to expand...

Acknowledging that reality, the Lazarus group crafted its attack to prey upon machines that had WIZVERA VeraPort installed.

They specifically used stolen code-signing certificates, including one lifted from a U.S. branch of a South Korean security company, to push out malware in the VeraPort software bundle served by a legitimate but compromised website.

The attackers camouflaged the Lazarus malware samples as legitimate software. These samples have similar filenames, icons and VERSIONINFO resources as legitimate South Korean software often delivered via WIZVERA VeraPort. Binaries that are downloaded and executed via the WIZVERA VeraPort mechanism are stored in %Temp%\[12_RANDOM_DIGITS]\.
Click to expand...

ESET: Lazarus supply‑chain attack in South Korea

ESET telemetry data recently led our researchers to discover attempts to deploy Lazarus malware via a supply-chain attack in South Korea. In order to deliver its malware, the attackers used an unusual supply-chain mechanism, abusing legitimate South Korean security software and digital certificates stolen from two different companies.
Click to expand...

mood · Oct 27, 2021

Lazarus APT Uses Updated Malware in Potential Supply Chain Attacks
October 27, 2021
https://duo.com/decipher/lazarus-group-malware-attacks-target-it-supply-chain

A pair of cyberattacks launched by the Lazarus advanced persistent threat (APT) group may indicate an effort to “build supply chain attack capabilities,” according to Kaspersky researchers. The group behind the attacks targeted legitimate South Korean security software in June, as well as a company developing asset monitoring solutions in Latvia - an “atypical victim” for Lazarus - in May.

Researchers with Kaspersky, in their APT trends report for the third quarter of 2021, said the Lazarus group leveraged an updated version of the DeathNote malware, which is known to send data about the compromised host and fetch a next-stage payload, as well as the Racket downloader. Through these attacks, the group was able to execute a malicious payload to target a think tank in South Korea, said researchers.

“We observed that the infection chain at the think tank stemmed from this security software spawning Lazarus’ Racket downloader," said Ariel Jungheit and David Emm, senior security researchers for the Global Research and Analysis Team (GReAT) with Kaspersky.
"This by itself doesn’t necessarily mean that a supply chain attack took place, but it does raise suspicion. The actor focused on a specific old version that might have had a vulnerability allowing Lazarus to leverage this software to infect their targets."
Click to expand...

Upon further investigation, researchers observed the DeathNote malware cluster using a slightly updated variant of Blindingcan, a North Korean remote access trojan.
“As part of the infection chain, Lazarus used a downloader named Racket that they signed using a stolen certificate,” said Kaspersky researchers.

Jungheit and Emm said the recent campaign suggests Lazarus is "working on building up their capacity to perform supply chain attacks."

“We saw an increase of supply chain attacks in 2021 of various sophistication levels,” they said.
Click to expand...

Log in or Sign up

Lazarus Group Used Supply Chain Attack to Target South Korean Users with Malware

mood Updates Team

mood Updates Team