ESET on Monday confirmed the reports of the Lazarus APT group deploying malware in South Korea. Lazarus, also known as Hidden Cobra is a North Korea-linked group that has time & again targeted various victims in South Korea. This time, the group has successfully conducted operations using an unusual supply-chain mechanism for deploying the Lazarus malware in South Korea. 

ESET research is calling this supply-chain attack a continuation of the Operation BookCodes, identified in April & July by KrCERT. Though KrCERT hasn’t attributed Operation BookCodes to Lazarus, it is suspected by many cybersecurity experts. This is owing to the typical characteristics, detection and the place of attacks being South Korea which is a chosen ground by Lazarus.

Besides this, the custom, unique methods of intrusion & encryption used along with the network infrastructure setup hint towards the same. Kaspersky has also hinted towards the same in their Q2 2020 APT trends report published in July-end.

About Cyberattack in South Korea

Threat actors used an unusual supply chain mechanism to deliver malware to users’ systems. They abused legitimate South-Korean security software & stole 2 digital certificates from two different companies. The attackers took advantage of the fact that more often than not South Korean internet users are asked to install extra security software when they are visiting a government-owned or internet banking websites. They used WIZERA Veraport. 

Now, before we go ahead, let us tell you what is WIZERA Veraport?

WIZERA Veraport is the additional security software managing the Integration Installation Program. It manages various aspects like browser plug-ins, security software, identification software, and more. This program is actually a pre-requisite for certain government & bank domains. It is majorly used to digitally sign & verify various documents. 

The websites that support WIZERA Veraport contain server-side components, especially a WIZERA configuration file and some Javascript. This configuration file contains a number of parameters like the web addresses and the list of software to install & their download URLs.  This configuration file is digitally signed by WIZERA and after the download, it is verified digitally using a strong cryptographic algorithm RSA. This is actually a precautionary measure to avoid malicious attackers from modifying the contents of the configuration files or set up their own websites. 

Now, here’s the catch.

The attackers can actually replace the genuine software which was to be delivered by WIZERA to the user. The original software is replaced with a legitimate but compromised website. This is believed to be the case in this attack.

Also read,

The attackers also gained the code-signing certificates from 2 separate South Korean security companies to successfully carry out the supply chain attacks. What happens is that WIVERA Veraport only verifies the downloaded binaries, without actually checking who they belong to. So, the Lazarus APT leverages on the stolen yet valid digital certificates to deliver the malware. 

It has been observed in 2 separate samples that were delivered as legitimate South Korean software. The attackers had used names, icons, version information resources highly similar to those of the genuine South Korean software that is usually delivered through WIVERA Veraport, thus reducing further suspicion.

Once a user visits the malware affected site, WIVERA Veraport serves a dropper for the malware, extracting both, the downloader and the configuration file. The malware then connects to the attackers’ command-and-control (C2) server. The final payload, Remote Access Trojan (RAT) is deployed on the victim’s machine. 

History of Lazarus attacks

The Lazarus group has a history of malicious cyber attacks over many years. Said to be actively working since 2009, possibly even as early as 2007, Lazarus has caused a lot of damage in the cyber world. It has been involved in various campaigns aimed at cyberespionage & sabotaging activities. This was done in order to disrupt systems and destroy data. 

They were also behind the more popular cyberattacks on the Sony Pictures Entertainment in the year 2014 and the WannaCry ransomware attacks in 2017. The WannaCry ransomware attacks affected various countries including Britain and the US. More recently, a report published by Kaspersky in January 2020 stated that Lazarus APT group has continually targeted the cryptocurrency exchanges evolving its TTP over the period of last 2 years.

In another scenario, the Lazarus group recently targeted IP-addresses that belonged to ISPs and defence contractors in a number of countries. They did this with the help of a spyware tool called Torisma. In September, Lazarus APT hackers attacked some Japanese organizations using the remote SMB tool called SMBMAP following network intrusion.

What can be done to stay safe?

The reason that attackers can successfully perform this attack is the combination of compromised websites & WIVERA Veraport support along with specified Veraport configuration options. But the website owners can still reduce the risk of such attacks. Even in the scenario of compromised websites, what their owners can do is enable specific options. These options include specifying hashes of binaries in the Veraport configuration. This will help reduce the chances of similar attacks happening in the future. 

ESET points out that Lazarus has numerous subgroups and that is what contributes to their unusually broad toolset. What is peculiar is that, unlike most cybercriminal groups, the source code to any of the Lazarus tools has never been disclosed in any public leak. This makes it harder to detect & resolve their malicious activities.

Over time, Lazarus has attacked various victims in South Korea leading to some of the most dangerous attacks of all time. Stringent steps need to be taken in order to secure users from such attacks and identifying these attacks in due time is the first step.