Lazarus malware has been tracked in new campaigns against South Korean supply chains, made possible through stolen security certificates.
On Monday, cybersecurity researchers from ESET revealed the abuse of the certificates, stolen from two separate, legitimate South Korean companies.
Lazarus, also known as Hidden Cobra, is an umbrella term for select threat groups — including offshoot entities — suspected of being tied to North Korea. Thought to be responsible for Sony’s infamous 2014 hack, Lazarus has also been connected to hacks using zero-day vulnerabilities, LinkedIn phishing messages, and the deployment of Trojans in campaigns including Dacls and Trickbot.
In recent years, Lazarus has expanded its attack surface not only for the theft of sensitive data from corporations but also in order to compromise cryptocurrency organizations.
In this supply chain attack, the threat actors are using an “unusual supply chain mechanism,” ESET says, in which Lazarus is abusing a standard requirement for South Korean internet users — the need to install additional security software when they visit government or financial services websites.
Typically, users will be required to download WIZVERA VeraPort, a program used to manage software downloads that are necessary to visit particular domains. These updates may include browser plugins, standalone security software, or identity verification tools.
WIZVERA VeraPort digitally signs and cryptographically verifies downloads.
“[This] is why attackers can’t easily modify the content of these configuration files or set up their own fake website,” the researchers say. “However, the attackers can replace the software to be delivered to WIZVERA VeraPort users from a legitimate but compromised website. We believe this is the scenario the Lazarus attackers used.”
Lazarus has targeted the weaker links in the chain by illegally obtaining code-signing certificates from two South Korean security companies.
WIZVERA VeraPort’s default configuration usually requires the signatures of downloaded binaries to be verified before execution. However, the software manager only verifies the signature and not who certificates belong to.
In order to exploit the software, the stolen — but valid — certificates were used to launch Lazarus malware payloads.
So far, two malware samples have been detected that camouflage the group’s malware as legitimate, South Korean software that is often downloaded and executed by WIZVERA VeraPort. Similar file names, icons, and resources to legitimate software have been crafted to avoid arousing suspicion.
If a victim visits a malicious website, for example, and unwittingly downloads the compromised software, Lazarus will then launch a dropper via WIZVERA VeraPort which extracts a downloader and configuration files.
A connection is then established with the attacker’s command-and-control (C2) server and the final payload, a Remote Access Trojan (RAT), is deployed on a victim’s machine. RATs can be used to maintain covert surveillance, persistence via backdoors, and for the exfiltration of data or remote system control.
“It’s the combination of compromised websites with WIZVERA VeraPort support and specific VeraPort configuration options that allow attackers to perform this attack,” ESET says. “Owners of such websites could decrease the possibility of such attacks, even if their sites are compromised, by enabling specific options (e.g. by specifying hashes of binaries in the VeraPort configuration).”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0