North Korean APT Actor Lazarus Attacks Defense Industry, Develops Supply Chain Attack Capabilities

One of the most prolific advanced threat actors, Lazarus, a North Korean APT group, has been recently tracked and identified to be developing supply chain attack skills, and not only that even for cyber espionage they are using its multi-platform MATA framework.

This North Korean APT group is active since at least 2009, and right now in the current era, this APT group is one of the most active globally. As it has a huge track record of cyber-espionage and ransomware campaigns.

But, through their malicious campaigns and wide range of custom tools, they mostly target the cryptocurrency markets and defense industry to accomplish their goals.

Using the MATA malware framework the operators of the Lazarus group has attacked several industries to steal the customer databases and spread ransomware, but, they mainly target the defense industry, and in the MATA malware framework, they can target three major players:-

  • Windows
  • Linux
  • macOS

According to the Kaspersky report, While Lazarus APT group has attacked the defense industry several times, as last year in mid-2020 the ThreatNeedle campaign was launched by them to target the defense industry.

Moreover,  the US Cybersecurity and Infrastructure Security Agency (CISA) reported that Lazarus was building supply chain attack capabilities with an updated DeathNote cluster using a variant of BLINDINGCAN. 

The senior security researcher, Global Research and Analysis Team, Kaspersky, Ariel Jungheit stated:-

“These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks.”

Several malicious campaigns have been identified in which an IT asset monitoring solution vendor, as well as a think tank in South Korea, were targeted. In these campaigns two types of cases were discovered:-

First case: In an infection chain that is developed by Lazarus, a malicious payload was delivered via legitimate South Korean security software.

Second case: A Latvian asset monitoring company was the target of Lazarus, an atypical victim for the organization.

In its infection chain, the threat actor uses a downloader called Racket, which was signed by using a stolen certificate, to install malware. 

To filter and control the malicious implants on successfully breached machines several scripts were uploaded by the actor to the compromised web servers.


Here’s the list of recommendations:-

  • Equip your SOC team with access to the latest threat intelligence (TI).
  • Upskill your cybersecurity team.
  • Implement EDR solutions.
  • Implement a corporate-grade security solution.
  • Preface security awareness training and make your team exercise practical skills.

To stay safe the security analysts of Kaspersky have strongly recommended users to follow and implement all the above-mentioned recommendations immediately.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Critical Exim Mali Server Vulnerability Impacts 1.5 Million Email Servers

According to recent findings by security researchers, more than 1.5 million email servers are currently…

4 hours ago

AT&T Massive Data Breach – Affecting Nearly All Customers’ Call & Text Records

AT&T, one of the largest telecommunications companies in the United States, has disclosed a significant…

16 hours ago

FishXProxy Fuels Phishing Attacks with Clever Deceptive Attacks

Imagine receiving an email that looks legitimate, down to the last detail. This is the…

19 hours ago

Beware of Phishing Attack that Abuses SharePoint Servers

A massive phishing campaign exploits Microsoft SharePoint servers to host malicious PDFs containing phishing links.…

20 hours ago

Apple Warns of Users in 98 Countries of Targeted Spyware Attacks

Apple has alerted iPhone users in 98 countries about potential mercenary spyware attacks. This marks…

22 hours ago

Citrix NetScaler ADC & Gateway Impacted by regreSSHion RCE Vulnerability

Qualys discovered a critical remote unauthenticated code execution (RCE) vulnerability, CVE-2024-6387, in OpenSSH’s server (sshd).…

22 hours ago