Lazarus is Back with Supply-Chain Attack

North Korea-linked Lazarus APT group, also known as Hidden Cobra, has a long history of targeting victims in South Korea. According to security experts from ESET, this time the group has conducted operations by using an unusual supply-chain mechanism to deploy Lazarus malware in South Korea.

Latest supply-chain attack

In the recent campaign, Lazarus has taken advantage of the fact that South Korean internet users are often asked to install additional security software, such as WIZVERA VeraPort when visiting government and banking websites with particular specifications.
  • The group has targeted the WIZVERA VeraPort software installation mechanism to deliver Lazarus malware from a legitimate yet compromised website.
  • It disguised the malware samples as legitimate South Korean software, often delivered via WIZVERA VeraPort to pass security checks.
  • The Lazarus attackers used illegally obtained yet valid code-signing certificates to push their payload. As VeraPort only verifies the validity of the digital signature, without checking whom it belongs to, hackers used stolen certificates to bypass this check.

Similarities with Operation BookCodes 

According to the ESET research, Lazarus supply-chain attack campaign is a continuation of what KrCERT has called Operation BookCodes, identified in April and June this year. While KrCERT hasn’t attributed Operation BookCodes to the Lazarus group, Kaspersky did in their report about Q2 2020 APT trends in July-end.

Recent Lazarus ruination

  • Recently, the Lazarus group had targeted IP-addresses belonging to ISPs and defense contractors in different countries using a spyware tool called Torisma.
  • In September, the Lazarus APT hackers had attacked Japanese organizations using remote SMB tool SMBMAP after network intrusion.

Key prevention tips

The combination of compromised websites with WIZVERA VeraPort support and specific VeraPort configuration options enables attackers to perform supply-chain attacks. Owners of such websites could modify WIZVERA VeraPort’s default configuration settings to verify digital signatures, as well as the hash of downloaded binaries to decrease the possibility of such attacks.