Lazarus group was spotted exploiting flaws in unnamed software to gain access to a South Korean finance firm twice last year.
The North Korea-linked group had infiltrated the affected company in May 2022 and again in October through the same software’s zero-day vulnerability, according to a research by AhnLab Security Emergency Response Center (ASEC).
ASEC reported the software in question to the Korean Internet and Security Agency since the vulnerability has not been fully verified yet and a software patch has not been released. The report therefore does not name the affected software.
During the infiltration in May 2022, the affected financial company was using a vulnerable version of a certificate program that was commonly used by public institutions and universities. After the incident, the company updated all their software to the latest versions. However, the Lazarus group used the same software’s zero-day vulnerability to carry out their infiltration the second time, ASEC said in its research.
BYOVD attack
To disable security products on infected machines and to exploit the software’s vulnerable driver kernel modules, the Lazarus group used the Bring Your Own Vulnerable Driver (BYOVD) technique.
In BYOVD attacks, threat actors use legitimately signed, but vulnerable, drivers to perform malicious actions on systems. The attacker can use the vulnerabilities in the drivers to execute malicious actions with kernel-level privileges.
The zero-day vulnerability that was exploited by the threat actors was of a certificate software that is commonly used in Korea.
“Since these types of software are not updated automatically, they must be manually patched to the latest version or deleted if unused,” ASEC said in the research.
To further conceal malicious activities the Lazarus group either changed file names before deleting them or modified timestamps using an anti-forensic technique, ASEC said in its research.
The attack resulted in multiple backdoor payloads being installed into the infect systems that connected to remote command-and-control servers and retrieved additional binaries that could be executed.
“Instead of taking only post-attack measures, continuous monitoring is required to prevent recurrences,” ASEC said in the research.
Activities of Lazarus group
The Lazarus group has been active since 2009 and is a North Korean state-sponsored threat group that has been attributed to the Reconnaissance General Bureau—North Korea’s intelligence agency. The most notable attacks by the group include the 2014 attack against Sony Pictures Entertainment, wherein the group deployed the “wiper” to delete sensitive company data. In a 2016 attack, the group stole millions of dollars from Bangladesh’s central bank.
The group has been seen targeting the cryptocurrency sector as well in recent times. Earlier this week, the FBI confirmed that the Lazarus group was responsible for Harmony Horizon Bridge currency theft. Harmony Horizon had reported a theft of $100 million of virtual currency in June 2022.
The group, which is being tracked by several security researchers, has been updating several tactics, techniques and procedures as well as introducing new payloads. Last month, a payload of the Wslink downloader named WinorDLL64 was attributed to the Lazarus group by ESET researchers. This payload can be used to carry out file manipulation, execution of further code, and obtain extensive information about the underlying system that can be leveraged later for lateral movement.
The group is also known to have targeted various Korean companies related to national defense, satellites, software, and press in the last two years, according to ASEC.
“The Lazarus group is researching the vulnerabilities of various other software and are constantly changing their TTPs by altering the way they disable security products and carry out anti-forensic techniques to interfere or delay detection and analysis in order to infiltrate Korean institutions and companies,” the ASEC report said.
Copyright © 2023 IDG Communications, Inc.
