The threat from North Korea, known as Lazarus, targets users in South Korea by attacking the supply chain that includes software typically required by government and financial institutions, ESET reported on Monday.
Lazarus is the best-known group of hackers who would act on behalf of the North Korean government, with attacks ranging from espionage to making a profit. It is not surprising that many of the group’s activities are focused on South Korea, including an interesting attack observed by ESET in recent months.
The campaign, which was to be part of an operation called BookCodes by the Korean Internet and Security Agency, was linked to Lazarus for several reasons, including the malware used in the attacks, the victimology and the infrastructure used by the attackers.
According to ESET, hackers have focused on WIZVERA VeraPort, the software users need to access the services of some government and banking websites in South Korea.
Researchers from a company involved in cyber security believe that the hackers have not really penetrated WIZVERA’s systems, but that they are targeting websites with the software.
Attackers compromise VeraPort-supported web servers and configure them to deliver a malicious file instead of legitimate software. The malicious file is delivered when a user who has VeraPort installed visits a web site linked to the compromised server.
For the attack to work, hackers had to sign their malware, and in some cases they did so by misusing certificates for signing codes issued to companies providing physical and cybersecurity solutions.
The attackers first push a signed leaf, then a pipette, a leaf, another leaf and finally the final charge. The ultimate payload is the TAR, which allows attackers to perform various actions on an infected device, including downloading and running other malware.
ESET noted that a successful attack requires the target web server to be configured in a certain way, which is why the company’s experts say that this method of malware delivery was used only in limited Lazarus operations.
Attackers are particularly interested in supply chain attacks because they can secretly infiltrate malware on multiple computers at the same time, ESET researchers explain. We can predict with certainty that future supply chain attacks will increase, particularly against companies whose services are popular in certain regions or industries.
ESET published a blog post detailing the attacks, and also shared some of the compromise indicators (IoC) to help organizations detect attacks.
Looks like: IoD devices from leading vendors infected with malware through the attack chain
That’s what it looks like: Avast detects another attack on the supply chain.
That’s what it looks like: Threats to the security of the food supply chain
@EduardKovacs – Publisher of the Safety Week. He worked for two years as a high school computer science teacher before starting a career in journalism as a security reporter for Softpedia. Edouard has a bachelor’s degree in industrial computer sciences and a master’s degree in computer engineering for electrical engineering.
Previous chronicles of Eduard Kovacs :