Lazarus Group Looking for Unpatched Software VulnerabilitiesNorth Korean Hackers Repeatedly Target Known Flaws in Legitimate Software
North Korean hackers are spreading malware through known vulnerabilities in legitimate software. In a new campaign spotted by Kaspersky researchers, the Lazarus group is targeting a version of an unnamed software product for which vulnerabilities have been reported and patches are available.
The new advanced persistent threat campaign targeting organizations worldwide used known flaws in a past version of an unnamed software - despite the vulnerabilities having been reported and patched - to encrypt web communication using digital certificates.
Hackers from the Lazarus group exploited the vulnerable software and used it as an entry point to hack organizations and encrypt web communication using digital certificates, according to Kaspersky.
North Korea uses "cyber intrusions to conduct both espionage and financial crime to project power and to finance both their cyber and kinetic capabilities," according to a report by Google's Mandiant threat intelligence group. Under leader Kim Jong Un, DPRK is affiliated with a number of state-sponsored hacking teams at home and abroad that gather intelligence on allies, enemies and defectors as well as hack banks and steal cryptocurrency.
The United Nations has previously accused North Korea of using the stolen funds to finance the country's long-range missile and nuclear weapons programs and to enrich the country's rulers.
Hackers deployed SIGNBT malware to control the victim and applied the well-known LPEClient tool, which researchers have previously seen targeting defense contractors, nuclear engineers and the cryptocurrency sector and which was found in the notorious 3CX supply chain attack.
"This malware acts as the initial point of infection and plays a crucial role in profiling the victim and delivering the payload," the researchers said.
Kaspersky said the developers of the unnamed software had previously fallen victim to Lazarus several times. This recurring breach suggests a persistent and determined threat actor with the likely objective of stealing valuable source code or tampering with the software supply chain, it said.
Seongsu Park, lead security researcher at Kaspersky, said the Lazarus group's continued activity is a testament to its advanced capabilities and unwavering motivation.
"They operate on a global scale, targeting a wide range of industries with a diverse toolkit of methods. This signifies an ongoing and evolving threat that demands heightened vigilance," Park said.
Kaspersky researchers said that in mid-July, they detected a series of attacks on several victims using the vulnerable software, and they identified post-exploitation activity within the processes of the legitimate software.
"In one instance, while examining the memory of the compromised security software from a victim's system, we discovered the presence of the SIGNBT malware accompanied by a shellcode. This shellcode was responsible for launching a Windows executable file directly in memory," the researchers said.
The threat actor used various tactics to establish and maintain persistence on compromised systems, including the creation of a file called
ualapi.dll in the system folder that is automatically loaded by the
spoolsv.exe process at each system boot.
Lazarus hackers also made registry entries to execute legitimate files for the purpose of malicious side-loading, ensuring a resilient persistence mechanism, the researchers said.
spoolsv.exe process for hijacking purposes is a long-standing strategy for Lazarus, the researchers said. It loads a
ualapi.dll file after each reboot. The file was previously used by the Gopuram malware.
"The malicious ualapi.dll file was developed using a public source code known as Shareaza Torrent Wizard. It follows a typical Lazarus group approach of utilizing public source code as a foundation and injecting specific malicious functions into it," the researchers said.
Using that malware loader, Lazarus also deployed additional malware including tools as LPEClient and credential dumping utilities to the victim machines. The tool helps to collect victim information and download additional payloads from a remote server to run in memory.
As the researchers previously said, it now employs advanced techniques to improve its stealth and avoid detection, such as disabling user-mode syscall hooking and restoring system library memory sections.