APT Hackers Deploy Lazarus Malware to Attack Windows Machine Via a Supply-Chain-Attacks

Recently, the security experts of ESET has detected Lazarus malware as it was involved in new campaigns against the South Korean Supply Chain by stolen security documents. The experts also revealed the abuse of the certificates that have been stolen are belongs to two separate, authorized South Korean companies.

Lazarus, also identified as Hidden Cobra, it’s an umbrella title for elite threat groups. This group includes offshoot entities that are suspected of being attached to North Korea. 

Moreover, the experts also believed that it is liable for Sony’s infamous 2014 hack; not only this, but Lazarus has also been correlated to hacks that are using zero-day vulnerabilities, LinkedIn phishing messages, and also the deployment of Trojans in campaigns that includes Dacls and Trickbot. 

Lazarus Toolset and Supply-chain Attack

Lazarus group was initially recognized in February 2016, in Novetta’s report “Operation Blockbuster”; therefore, the US-CERT and the FBI named this group as HIDDEN COBRA. According to the security experts, these cybercriminals surged to influence with the infamous case of cybersabotage against Sony Pictures Entertainment.

Apart from this, the Lazarus toolset is extremely wide, and the security experts believe that there are various subgroups of this toolset. The toolsets are being used by some other cybercriminal groups, but none of the source code of any Lazarus tools has ever been published in a public leak.

In the Lazarus supply-chain attack, the South Korean internet users are often claimed to install additional security software when attending government or internet trading websites.

The chain consists of a WIZVERA VeraPort it is referred to as an integration installation plan; it is a South Korean application that assists in managing such extra security software. 

When the WIZVERA VeraPort gets installed on their devices, users receive and install all necessary software that are required by a specific website with VeraPort.

Malware Samples Delivered Using this Supply-chain attack

The samples that are delivered using the supply-chain attack are mentioned below:-

  • Delfino.exe
  • MagicLineNPIZ.exe

The attributions that are involved in this supply chain are mentioned below:-

  • Community agreement: The modern attack is a sequence of what KrCERT has called Operation Book codes.
  • Toolset characteristics and detection: The first dropper is a console application that requires parameters, and the final payload is a RAT module.
  • Victimology: The Lazarus group has a plentiful history of attacks against victims in South Korea like Operation Troy.
  • Network infrastructure: All the server-side techniques of web shells and the business of C&Cs are incorporated very precisely in KrCERT’s white paper.
  • Eccentric approach:
  • In intrusion methods – The unusual method of infiltration is a sign that it could be connected to a sophisticated way.
  • In encryption methods – It has Spritz exception of RC4 in the watering hole attacks against Polish and Mexican banks.

Malware analysis

According to the ESET report, it is a common characteristic of many APT groups, particularly Lazarus, that they unleash their stockpile within various stages that perform as a cascade, from the dropper to the common products up to the definitive payloads.

Dropper, Loader, Downloader, and Module

  • Dropper: It is an initial stage of the cascade, and in this one, can’t see any polymorphism or obfuscation in the code, and the dropper encapsulates three encrypted files in its resources.
  • Loader: This is a Themida-protected file; in this, the experts estimate the version of Themida to be 2.0-2.5, which agrees with KrCERT’s report.
  • Downloader: The main downloader is diminished by the Dropper element under the bcyp655.tlb name and inserted into one of the assistance by the Loader.
  • Module: It is a RAT that consists of a set of typical characteristics adopted by the Lazarus group. All the commands include operations on the victim’s filesystem and the download of additional tools from the attacker’s arsenal.

The targeted web server requires to be configured in a specific way, and this malware delivery method has only been utilized in inadequate Lazarus operations. However, security experts are still investigating the whole matter and trying to bypass all the threats.

Indicators of Compromise (IoCs)

Detection names


SHA-1 of signed samples


SHA-1 of samples


Code signing certificate serial numbers


Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Cyber Security News Weekly Round-Up (Vulnerabilities, Cyber Attacks, Threats & New Stories)

Our weekly summary of cybersecurity news provides information on the most recent threats, vulnerabilities, innovations,…

7 hours ago

Bondnet Using High-Performance Bots For C2 Server

Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently. These bots can…

2 days ago

Discord-Based Malware Attacking Orgs Linux Systems In India

Linux systems are deployed mostly in servers, in the cloud, and in environments that are…

2 days ago

New Moonstone Sleet North Korean Actor Deploying Malicious Open Source Packages

In December 2023, we reported on how North Korean threat actors, particularly Jade Sleet, have…

3 days ago

Life360 Breach: Hackers Accessed the Tile Customer Support Platform

Life360, a company known for its family safety services, recently fell victim to a criminal…

3 days ago

Microsoft Delays Release of Controversial Windows AI Recall Tool Amid Privacy Concerns

Microsoft has announced that it will delay the broad release of its AI-powered Recall feature…

3 days ago