In a recent investigation conducted by Kaspersky, cybersecurity researchers have uncovered an advanced persistent threat campaign conducted by the notorious Lazarus group, a North Korean state-sponsored hacking collective. The group has been exploiting well-documented vulnerabilities in an undisclosed software product, despite the existence of reported vulnerabilities and available patches.
This campaign, which has had a global impact, centers on the utilization of known flaws in a previous version of undisclosed software. These flaws, despite being reported and addressed through patches, have been exploited to encrypt web communications using digital certificates. The Lazarus group leveraged these vulnerabilities as an entry point to infiltrate organizations and encrypt web communication through digital certificates, as confirmed by Kaspersky’s findings.
The Lazarus group, believed to be under the auspices of the Democratic People’s Republic of Korea (DPRK), has a well-established track record of using cyber intrusions for both espionage and financial crime, all with the aim of consolidating power and financing their cyber and kinetic capabilities. Google’s Mandiant threat intelligence group has reported extensively on North Korea’s association with multiple state-sponsored hacking teams, both domestically and internationally. These teams are involved in intelligence-gathering activities against allies, adversaries, and defectors, as well as conducting bank heists and cryptocurrency theft.
In past reports, the United Nations has accused North Korea of channeling stolen funds into the country’s long-range missile and nuclear weapons programs and enriching its leadership.
To execute their malicious activities, the Lazarus group deployed the SIGNBT malware to compromise victims and employed the well-known LPEClient tool. This tool, previously observed targeting defense contractors, nuclear engineers, and the cryptocurrency sector, was also identified in the infamous 3CX supply chain attack. According to Kaspersky researchers, the SIGNBT malware served as the initial point of infection, playing a pivotal role in profiling victims and delivering the payload.
It’s worth noting that the developers of the undisclosed software had been targeted by Lazarus on multiple occasions in the past, suggesting the threat actor’s unwavering persistence and motivation. Their likely objectives include stealing valuable source code or tampering with the software supply chain.
Seongsu Park, lead security researcher at Kaspersky, emphasized the advanced capabilities and unwavering motivation of the Lazarus group. “They operate on a global scale, targeting a wide range of industries with a diverse toolkit of methods. This signifies an ongoing and evolving threat that demands heightened vigilance,” Park stated.
Kaspersky’s Malware Analysis
Kaspersky revealed that in mid-July, a series of attacks involving the vulnerable software was detected, with post-exploitation activities occurring within the legitimate software’s processes. Researchers found that the SIGNBT malware, along with a shellcode, was present in the compromised security software of a victim’s system. This shellcode was responsible for executing a Windows executable file directly in memory.
The threat actor employed various tactics to establish and maintain persistence on compromised systems. This included creating a file named ualapi.dll in the system folder, which would be automatically loaded by the spoolsv.exe process during each system boot. Additionally, Lazarus hackers made registry entries to facilitate the execution of legitimate files for malicious side-loading, ensuring a resilient persistence mechanism.
Hijacking the spoolsv.exe process has been a long-standing strategy for Lazarus, known for loading a ualapi.dll file after each system reboot. The file’s development utilized a public source code called Shareaza Torrent Wizard, a typical approach adopted by the Lazarus group. This involves using public source code as a foundation and injecting specific malicious functions into it.
Lazarus also deployed additional malware, including tools such as LPEClient and credential-dumping utilities, to victim machines. This toolset was employed to collect victim information and download additional payloads from a remote server for execution in memory.
As previously noted, the Lazarus group has increasingly utilized advanced techniques to enhance stealth and evade detection, including disabling user-mode syscall hooking and restoring system library memory sections.
