Lazarus Group Looking for Unpatched Software Vulnerabilities

North Korea’s state-sponsored hackers are spreading malware through known vulnerabilities in legitimate software. In a new campaign spotted by Kaspersky researchers, the Lazarus group is targeting a version of an unnamed software product with vulnerabilities reported and patches available.

See Also: Navigating SEC Compliance: A Comprehensive Approach to Cybersecurity Resilience

The new advanced persistent threat campaign targeting organizations worldwide used known flaws in a past version of an unnamed software despite the vulnerabilities being reported and patched designed to encrypt web communication using digital certificates.

Hackers from the Lazarus group exploited the vulnerable software and used it as an entry point to hack organizations and encrypt web communication using digital certificates, according to Kaspersky.

North Korea uses “cyber intrusions to conduct both espionage and financial crime to project power and to finance both their cyber and kinetic capabilities,” according to a report by Google’s Mandiant threat intelligence group. Under leader Kim Jong-Un, DPRK is affiliated with a number of state-sponsored hacking teams at home and abroad that gather intelligence on allies, enemies and defectors, as well as hack banks and steal cryptocurrency.

The United Nations has previously accused North Korea of using the stolen funds to finance the country’s long-range missile and nuclear weapons programs, as well as enrich the country’s rulers.

Hackers deployed a “SIGNBT” malware to control the victim and applied the well-known LPEClient tool, previously seen targeting defense contractors, nuclear engineers and the cryptocurrency sector, and researchers found in the notorious 3CX supply chain attack.

“This malware acts as the initial point of infection and plays a crucial role in profiling the victim and delivering the payload,” researchers said.

Kaspersky said the developers of the unnamed software had previously fallen victim to Lazarus several times. This recurring breach suggested a persistent and determined threat actor with the likely objective of stealing valuable source code or tampering with the software supply chain.

Seongsu Park, lead security researcher at Kaspersky, said the Lazarus group’s continued activity is a testament to its advanced capabilities and unwavering motivation.

“They operate on a global scale, targeting a wide range of industries with a diverse toolkit of methods. This signifies an ongoing and evolving threat that demands heightened vigilance,” Park said.

Malware Analysis

Kaspersky researchers said that in mid-July, they detected a series of attacks on several victims using the vulnerable software and they identified post-exploitation activity within the processes of the legitimate software.

“In one instance, while examining the memory of the compromised security software from a victim’s system, we discovered the presence of the SIGNBT malware accompanied by a shellcode. This shellcode was responsible for launching a Windows executable file directly in memory,” researchers said.

The threat actor used various tactics to establish and maintain persistence on compromised systems, including the creation of a file called ualapi.dll in the system folder that is automatically loaded by the spoolsv.exe process at each system boot.

Lazarus hackers also made registry entries to execute legitimate files for the purpose of malicious side-loading, ensuring a resilient persistence mechanism, researchers said.

The spoolsv.exe process for hijacking purposes is a longstanding strategy for Lazarus, researchers said. This loads a ualapi.dll file after each reboot, which was previously used by the Gopuram malware.

“The malicious ualapi.dll file was developed using a public source code known as Shareaza Torrent Wizard. It follows a typical Lazarus group approach of utilizing public source code as a foundation and injecting specific malicious functions into it,” researchers said.

Using that malware loader, Lazarus also deployed additional malware including tools as LPEClient and credential dumping utilities to the victim machines. The tool helps to collect victim information and download additional payloads from a remote server to run in memory.

As researchers previously noted, it now employs advanced techniques to improve its stealth and avoid detection, such as disabling user-mode syscall hooking and restoring system library memory sections, researchers said.