Recently, the security experts of ESET has detected Lazarus malware as it was involved in new campaigns against the South Korean Supply Chain by stolen security documents. The experts also revealed the abuse of the certificates that have been stolen are belongs to two separate, authorized South Korean companies.
Lazarus, also identified as Hidden Cobra, it’s an umbrella title for elite threat groups. This group includes offshoot entities that are suspected of being attached to North Korea.
Moreover, the experts also believed that it is liable for Sony’s infamous 2014 hack; not only this, but Lazarus has also been correlated to hacks that are using zero-day vulnerabilities, LinkedIn phishing messages, and also the deployment of Trojans in campaigns that includes Dacls and Trickbot.
Lazarus Toolset and Supply-chain Attack
Lazarus group was initially recognized in February 2016, in Novetta’s report “Operation Blockbuster”; therefore, the US-CERT and the FBI named this group as HIDDEN COBRA. According to the security experts, these cybercriminals surged to influence with the infamous case of cybersabotage against Sony Pictures Entertainment.
Apart from this, the Lazarus toolset is extremely wide, and the security experts believe that there are various subgroups of this toolset. The toolsets are being used by some other cybercriminal groups, but none of the source code of any Lazarus tools has ever been published in a public leak.
In the Lazarus supply-chain attack, the South Korean internet users are often claimed to install additional security software when attending government or internet trading websites.
The chain consists of a WIZVERA VeraPort it is referred to as an integration installation plan; it is a South Korean application that assists in managing such extra security software.
When the WIZVERA VeraPort gets installed on their devices, users receive and install all necessary software that are required by a specific website with VeraPort.
Malware Samples Delivered Using this Supply-chain attack
The samples that are delivered using the supply-chain attack are mentioned below:-
The attributions that are involved in this supply chain are mentioned below:-
- Community agreement: The modern attack is a sequence of what KrCERT has called Operation Book codes.
- Toolset characteristics and detection: The first dropper is a console application that requires parameters, and the final payload is a RAT module.
- Victimology: The Lazarus group has a plentiful history of attacks against victims in South Korea like Operation Troy.
- Network infrastructure: All the server-side techniques of web shells and the business of C&Cs are incorporated very precisely in KrCERT’s white paper.
- Eccentric approach:
- In intrusion methods – The unusual method of infiltration is a sign that it could be connected to a sophisticated way.
- In encryption methods – It has Spritz exception of RC4 in the watering hole attacks against Polish and Mexican banks.
According to the ESET report, it is a common characteristic of many APT groups, particularly Lazarus, that they unleash their stockpile within various stages that perform as a cascade, from the dropper to the common products up to the definitive payloads.
Dropper, Loader, Downloader, and Module
- Dropper: It is an initial stage of the cascade, and in this one, can’t see any polymorphism or obfuscation in the code, and the dropper encapsulates three encrypted files in its resources.
- Loader: This is a Themida-protected file; in this, the experts estimate the version of Themida to be 2.0-2.5, which agrees with KrCERT’s report.
- Downloader: The main downloader is diminished by the Dropper element under the bcyp655.tlb name and inserted into one of the assistance by the Loader.
- Module: It is a RAT that consists of a set of typical characteristics adopted by the Lazarus group. All the commands include operations on the victim’s filesystem and the download of additional tools from the attacker’s arsenal.
The targeted web server requires to be configured in a specific way, and this malware delivery method has only been utilized in inadequate Lazarus operations. However, security experts are still investigating the whole matter and trying to bypass all the threats.
Indicators of Compromise (IoCs)
SHA-1 of signed samples
SHA-1 of samples
Code signing certificate serial numbers