APT Hackers Deploy Lazarus Malware to Attack Windows Machine Via a Supply-Chain-Attacks

Recently, the security experts of ESET has detected Lazarus malware as it was involved in new campaigns against the South Korean Supply Chain by stolen security documents. The experts also revealed the abuse of the certificates that have been stolen are belongs to two separate, authorized South Korean companies.

Lazarus, also identified as Hidden Cobra, it’s an umbrella title for elite threat groups. This group includes offshoot entities that are suspected of being attached to North Korea. 

Moreover, the experts also believed that it is liable for Sony’s infamous 2014 hack; not only this, but Lazarus has also been correlated to hacks that are using zero-day vulnerabilities, LinkedIn phishing messages, and also the deployment of Trojans in campaigns that includes Dacls and Trickbot. 

Lazarus Toolset and Supply-chain Attack

Lazarus group was initially recognized in February 2016, in Novetta’s report “Operation Blockbuster”; therefore, the US-CERT and the FBI named this group as HIDDEN COBRA. According to the security experts, these cybercriminals surged to influence with the infamous case of cybersabotage against Sony Pictures Entertainment.

Apart from this, the Lazarus toolset is extremely wide, and the security experts believe that there are various subgroups of this toolset. The toolsets are being used by some other cybercriminal groups, but none of the source code of any Lazarus tools has ever been published in a public leak.

In the Lazarus supply-chain attack, the South Korean internet users are often claimed to install additional security software when attending government or internet trading websites.

The chain consists of a WIZVERA VeraPort it is referred to as an integration installation plan; it is a South Korean application that assists in managing such extra security software. 

When the WIZVERA VeraPort gets installed on their devices, users receive and install all necessary software that are required by a specific website with VeraPort.

Malware Samples Delivered Using this Supply-chain attack

The samples that are delivered using the supply-chain attack are mentioned below:-

  • Delfino.exe
  • MagicLineNPIZ.exe

The attributions that are involved in this supply chain are mentioned below:-

  • Community agreement: The modern attack is a sequence of what KrCERT has called Operation Book codes.
  • Toolset characteristics and detection: The first dropper is a console application that requires parameters, and the final payload is a RAT module.
  • Victimology: The Lazarus group has a plentiful history of attacks against victims in South Korea like Operation Troy.
  • Network infrastructure: All the server-side techniques of web shells and the business of C&Cs are incorporated very precisely in KrCERT’s white paper.
  • Eccentric approach:
  • In intrusion methods – The unusual method of infiltration is a sign that it could be connected to a sophisticated way.
  • In encryption methods – It has Spritz exception of RC4 in the watering hole attacks against Polish and Mexican banks.

Malware analysis

According to the ESET report, it is a common characteristic of many APT groups, particularly Lazarus, that they unleash their stockpile within various stages that perform as a cascade, from the dropper to the common products up to the definitive payloads.

Dropper, Loader, Downloader, and Module

  • Dropper: It is an initial stage of the cascade, and in this one, can’t see any polymorphism or obfuscation in the code, and the dropper encapsulates three encrypted files in its resources.
  • Loader: This is a Themida-protected file; in this, the experts estimate the version of Themida to be 2.0-2.5, which agrees with KrCERT’s report.
  • Downloader: The main downloader is diminished by the Dropper element under the bcyp655.tlb name and inserted into one of the assistance by the Loader.
  • Module: It is a RAT that consists of a set of typical characteristics adopted by the Lazarus group. All the commands include operations on the victim’s filesystem and the download of additional tools from the attacker’s arsenal.

The targeted web server requires to be configured in a specific way, and this malware delivery method has only been utilized in inadequate Lazarus operations. However, security experts are still investigating the whole matter and trying to bypass all the threats.

Indicators of Compromise (IoCs)

Detection names


SHA-1 of signed samples


SHA-1 of samples


Code signing certificate serial numbers


Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

WhatsApp Secret Code Feature Lets Users Set Unique Locked Chat Passwords

WhatsApp has announced the rollout of a new feature to safeguard sensitive conversations. The Secret…

6 mins ago

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

12 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

15 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

16 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

18 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

19 hours ago