Lazarus of North KoreahackerOrganizations have always beencyber securityan important concern in the world. Recently, they were thought to be behind a new attack campaign. In this campaign, an unnamed software vendor was compromised by exploiting known security vulnerabilities in high-profile software.
According to Kaspersky, these attacks ultimately led to the deployment of malware such as SIGNBT and LPEClient, which are known hacking tools used by threat actors for victim analysis and payload delivery.
Security researcher Seongsu Park pointed out that the attack showed a high degree of sophistication, with the adversary employing advanced evasion techniques and introducing SIGNBT malware to control the victim. SIGNBT malware employs diverse infection chains and sophisticated techniques.
According to Russian cybersecurity vendors, the company that developed the exploited software has been a victim of Lazarus attacks multiple times. This indicates an attempt to steal source code or contaminate the software supply chain, similar to previous 3CX supply chain attacks.
The Lazarus group continues to exploit vulnerabilities in the company's software and target other software manufacturers. It is said that multiple victims have been singled out in the latest campaign.
According to the company, victims were targeted through legitimate security software designed to encrypt network communications using digital certificates, but the name of the software was not disclosed. The exact propagation mechanism of SIGNBT malware is still unclear.
In addition to leveraging various tactics to establish and maintain persistence on infected systems, the attack chain also leverages memory loaders as a conduit to launch the SIGNBT malware.
The main function of the SIGNBT malware is to establish contact with the remote server and retrieve further commands for execution on the infected host. The malware is named using unique strings prefixed with "SIGNBT" in HTTP-based command and control (C2) communications, such as SIGNBTLG for initial connection, SIGNBTKE for gathering system metadata, SIGNBTGC for fetching commands, SIGNBTFI For communication failure, SIGNBTSR is used for successful communication.
The SIGNBT malware itself has multiple capabilities that can be used to take control of victim systems, including process enumeration, file and directory manipulation, and deployment of payloads such as LPEClient and other credential dumping utilities.
Kaspersky said it discovered at least three different Lazarus campaigns in 2023, using different intrusion vectors and infection procedures, but always relying on the LPEClient malware to deliver the final stage of the malware.
One of the campaign's implants, codenamed Gopuram, paved the way for cyberattacks against cryptocurrency companies by leveraging a Trojanized version of 3CX's voice and video conferencing software.
These latest discoveries are just the latest examples of North Korea-related cyber operations and demonstrate that the Lazarus group continues to evolve and expand its arsenal of tools, tactics, and techniques.
The Lazarus group has been a highly active and versatile threat actor and remains a significant concern in today's cybersecurity landscape. They constantly improve their attack techniques and find new targets and vulnerabilities to exploit. In addition to attacks against software vendors, the Lazarus group is also involved in other areas, such as financial institutions and cryptocurrency exchanges. They use a variety of tactics, including social engineering, phishing emails, and malware distribution, to steal sensitive information, steal funds, and conduct espionage.
The activities organized by Lazarus are linked to the North Korean government. They are believed to be authorized entities of the North Korean government, providing the government with cyber attack capabilities and helping the government achieve its political and economic goals. They have been active for the past few years and are an important concern for the cybersecurity community.
To protect themselves against this type of attack, software vendors and other potential targets should take a number of security measures. This includes regularly updating and patching security holes in software, implementing strong authentication and access control mechanisms, training employees on cybersecurity best practices, and using advanced intrusion detection and prevention systems.
In addition, users should also remain vigilant and avoid clicking on links from suspicious or unknown sources, not download attachments from unknown sources, regularly update and maintain their operating systems and applications, and use reliable security software to protect their devices from malware. infringement.
Overall, the Lazarus group’s activities demonstrate the continued evolution and escalation of cyber threats. In the face of these threats, ongoing security awareness and comprehensive defensive measures are crucial.
Original article, author: Chief Security Officer, if reprinted, please indicate the source: https://cncso.com/en/lazarus-group-attacks-software-suppliers-with-known-vulnerabilities.html
