Lazarus malware was found to be involved in new campaigns against South Korean supply chains through stolen security certificates.
Cybersecurity researchers from ESET revealed the abuse of the certificates that has been stolen from two separate, legitimate South Korean companies.
Lazarus group also called Hidden Cobra are threat groups that has been linked to North Korea. Lazarus has been linked to various hacks including the Sony’s infamous 2014 hack, hacks using zero-day vulnerabilities, LinkedIn phishing messages, and the deployment of Trojans in campaigns.
Recently, Lazarus has expanded its attacks not only to steal sensitive data from corporations but also to compromise cryptocurrency organizations.
According to the researchers, in the latest supply chain attack, the threat actors are using an unusual supply chain mechanism in which Lazarus is abusing a standard requirement for South Korean internet users. The users are required to install additional security software when they visit government or financial services websites.
The users must download WIZVERA VeraPort, a program used to manage software downloads that are necessary to visit particular domains. These updates may include browser plugins, standalone security software, or identity verification tools.
WIZVERA VeraPort digitally signs and cryptographically verifies downloads.
So, it is not possible for attackers to modify the content of these configuration files or set up their own fake website. Instead the attackers can replace the software to be delivered to WIZVERA VeraPort users from a legitimate but compromised website. The researchers believe that this is the case Lazarus attackers have used.
Lazarus has targeted the weaker links in the chain by illegally obtaining code-signing certificates from two South Korean security companies.
The default configuration of WIZVERA VeraPort’s requires the signatures of downloaded binaries to be verified before execution. However, it only verifies the signature and not who does the certificates belong to.
In order to exploit the software, the stolen but valid certificates were used to launch Lazarus malware payloads.
As of now, two malware samples were detected that camouflage the group’s malware as legitimate, South Korean software that is often downloaded and executed by WIZVERA VeraPort. Similar file names, icons, and resources to legitimate software were created to avoid suspicion.
Example, if a victim visits a malicious website and downloads the compromised software, Lazarus will launch a dropper via WIZVERA VeraPort that extracts a downloader and configuration files.
A connection is then established with the attacker’s command-and-control (C2) server and the final payload, a Remote Access Trojan (RAT), is deployed on a victim’s machine. RATs can be used to maintain covert surveillance, persistence via backdoors, and for the exfiltration of data or remote system control.
ESET researchers stated that it is a combination of compromised websites with WIZVERA VeraPort support and specific VeraPort configuration options that allow attackers to perform this attack.
It is possible for the owners of such websites to decrease the possibility of such attacks, even if their sites are compromised, by enabling specific options.
Image Credits : India Forensic