A new campaign by the infamous Lazarus group that is
targeting organizations worldwide has been uncovered by Kaspersky's Research
and Analysis Team (GReAT). The research presented at Security Analyst Summit
(SAS) revealed a sophisticated APT campaign distributed via malware and spread
through legitimate software.
The GReAT team identified a series of cyber
incidents that involved targets being infected through legitimate software
designed to encrypt web communication using digital certificates. Despite
vulnerabilities being reported and patched, organizations worldwide still used
the flawed version of the software, providing an entry point for the infamous
Lazarus group.
The adversary exhibited a high level of sophistication,
employing advanced evasion techniques and deploying a "SIGNBT"
malware to control the victim. They also applied the already well-known
LPEClient tool, previously seen targeting defense
contractors, nuclear
engineers and the cryptocurrency sector. This malware acts as the
initial point of infection and plays a crucial role in profiling the victim and
delivering the payload. Kaspersky researchers' observations indicate that
LPEClient's role in this and other attacks aligns with the tactics employed by
the Lazarus group, as also seen in the notorious 3CX supply chain attack.
Further investigation revealed that the Lazarus malware has
already targeted the initial victim, a software vendor, several times before.
This pattern of recurring attacks indicates a determined and focused adversary,
likely with an intention to steal critical source code or disrupt the software
supply chain. The threat actor consistently exploited vulnerabilities in the
company's software and broadened their scope by targeting other companies that
used the unpatched version of the software. Kaspersky's
Endpoint Security solution identified the threat proactively and
prevented further attacks against other targets.
"The Lazarus group's continued activity is a
testament to their advanced capabilities and unwavering motivation," said
Seongsu Park, lead security researcher at Kaspersky's Global Research and
Analysis Team. "They operate on a global scale, targeting a wide range of
industries with a diverse toolkit of methods. This signifies an ongoing and
evolving threat that demands heightened vigilance."
To learn more details about the campaign, visit Securelist.com