At least six South Korean organizations in the financial, IT, semiconductor, software, and telecommunications sectors have been targeted in a recent campaign attributed to the North Korean APT Lazarus, Kaspersky reports.
While Lazarus’ targeting of South Korea is nothing new, the new attacks stand out because they combine a watering hole strategy with the exploitation of vulnerabilities in software used by organizations in the country.
As part of the campaign, dubbed Operation SyncHole, Lazarus exploited a vulnerability in Cross EX, an application used by South Korean companies to ensure that mandatory security software runs in browser environments.
The country’s internet environment requires that online banking and government websites use specific security software for anti-keylogging and certificate-based digital signatures. These applications run in the background to interact with the browser.
“The Lazarus group shows a strong grasp of these specifics and is using a South Korea-targeted strategy that combines vulnerabilities in such software with watering hole attacks,” Kaspersky notes.
Lazarus exploited Cross EX and a zero-day vulnerability in Innorix Agent to deploy malware on targeted organizations’ systems, the security firm says.
The infection chain was triggered after a user accessed several South Korean online media sites, with the ThreatNeedle malware deployed at the initial stage of the attack. A server-side script was used to filter the site’s visitors and redirect victims to an attacker-controlled domain.
“We assess with medium confidence that the redirected site may have executed a malicious script, targeting a potential flaw in Cross EX installed on the target PC, and launching malware,” Kaspersky says.
The script executed the legitimate SyncHost process and injected ThreatNeedle and wAgent code into it, a technique common throughout all Operation SyncHole intrusions. At the next stage of the attack, the SignBT and CopperHedge malware families were executed.
As part of the attacks, Lazarus also employed the LPEClient tool to profile victims, the Agamemnon downloader, and a credential dumping tool, and exploited the Innorix Agent file transfer software (also mandatory in South Korea for specific financial and administrative tasks) to deploy malware on internal hosts.
The analysis of the SignBT and CopperHedge variants used in these attacks revealed not only that Lazarus has been fine-tuning its tools to efficiently evade detection, but also that it was performing internal reconnaissance by issuing various Windows commands manually.
Kaspersky identified six organizations targeted in Operation SyncHole, but says that the number of victims is likely much higher, given the broad use of the targeted applications across industries. The company notified KrCERT of the attacks and patches were released for the exploited bugs.
“Throughout this campaign, several malware samples were used that we managed to attribute to the Lazarus group through our ongoing and dedicated research conducted for a long time. Our attribution is supported by the historical use of the malware strains, as well as their TTPs, all of which have been well documented by numerous security solutions vendors and governments,” Kaspersky notes.
Related: Lazarus Uses ClickFix Tactics in Fake Cryptocurrency Job Attacks
Related: North Korean Hackers Targeting Freelance Software Developers
Related: Windows Zero-Day Attack Linked to North Korea’s Lazarus APT
Related: North Korea’s Lazarus Targets Energy Firms With Three RATs