Home News Lazarus Strikes Again, Attacks Supply Chain in South Korea

Lazarus Strikes Again, Attacks Supply Chain in South Korea

Cryptocurrency Lazarus, North Korean TA406, Lazarus Group , Korea Atomic Energy Research Institute

Security researchers from ESET found cybercriminals linked to North-Korean Lazarus group targeting South Korean supply-chains. It was found that attackers exploited legitimate South Korean security software and digital certificates stolen from two different companies to distribute their malware. The hacker group also used illicitly obtained code to sign the malware samples.

Lazarus Supply Chain Attacks

ESET’s researchers stated that South Koreans are often asked to download additional security software while visiting government or banking services online. It is found that attackers abused this process to deploy Lazarus malware from a compromised legitimate website.

“To understand this novel supply-chain attack, you should be aware that WIZVERA VeraPort, referred to as an integration installation program, is a South Korean application that helps manage such additional security software. When WIZVERA VeraPort is installed, users receive and install all necessary software required by a specific website. Minimal user interaction is required to start such software installation. Usually this software is used by government and banking websites in South Korea. For some of these websites it’s mandatory to have WIZVERA VeraPort installed,” explains Anton Cherepanov, ESET researcher who led the investigation into the attack.

“The attackers camouflaged the Lazarus malware samples as legitimate software. These samples have similar file names, icons, and resources as legitimate South Korean software. It’s the combination of compromised websites with WIZVERA VeraPort support and specific VeraPort configuration options that allows attackers to perform this attack,” says Peter Kálnai, ESET researcher who analyzed the Lazarus attack with Cherepanov.

The Lazarus Timeline

The Lazarus hacking Group was involved in multiple cyberattacks earlier. In 2018, Kaspersky uncovered AppleJeus, a malicious operation by Lazarus Group to intrude on cryptocurrency exchanges and applications. In December 2019, the researchers discovered a malware dubbed as “Fileless” distributed by the Lazarus group.  For full story click here…