The Lazarus Group, known for its affiliation with North Korea, has been identified as the perpetrator behind a recent cyber campaign targeting an undisclosed software vendor. This attack exploited known security vulnerabilities in a prominent software, as reported by Kaspersky, culminating in the deployment of malware families such as SIGNBT and LPEClient. LPEClient is a well-known hacking tool employed by this threat actor for victim profiling and payload delivery.
According to security researcher Seongsu Park, the adversary displayed a high level of sophistication in their approach, utilizing advanced evasion techniques and introducing the SIGNBT malware for controlling their victims. In this attack, SIGNBT malware demonstrated a diverse infection chain and employed sophisticated tactics.
The Russian cybersecurity firm noted that the software vendor, whose software was exploited, had previously fallen victim to Lazarus attacks several times. This pattern suggests an intention to steal source code or compromise the software supply chain, similar to the 3CX supply chain attack.
Park also highlighted that the Lazarus Group continued to exploit vulnerabilities in the targeted company’s software while extending their focus to other software developers. As of mid-July 2023, several victims had been singled out.
These victims were targeted through a legitimate security software designed for encrypting web communications with digital certificates. The software’s name was not disclosed, and the exact method used to weaponize it for distributing SIGNBT malware remains unknown.
Apart from employing various tactics to establish and maintain persistence on compromised systems, the attack chains used an in-memory loader as a conduit to launch the SIGNBT malware.
SIGNBT serves as a backdoor to establish contact with a remote server and retrieve further commands for execution on the infected host. This malware is named after distinctive strings prefixed with “SIGNBT” in its HTTP-based command-and-control (C2) communications, such as SIGNBTLG for initial connection, SIGNBTKE for gathering system metadata, SIGNBTGC for fetching commands, SIGNBTFI for communication failure, and SIGNBTSR for successful communication.
The Windows backdoor offers a wide range of capabilities to gain control over the victim’s system, including process enumeration, file and directory operations, and the deployment of payloads like LPEClient and other credential-dumping utilities.
Kaspersky identified at least three separate Lazarus campaigns in 2023, each utilizing different intrusion vectors and infection procedures. However, they consistently relied on LPEClient malware for delivering the final-stage malware.
One of these campaigns facilitated the deployment of an implant named Gopuram, which was used in cyber attacks targeting cryptocurrency companies by utilizing a tampered version of the 3CX voice and video conferencing software.
These recent findings underscore the ongoing North Korean-linked cyber operations and highlight the Lazarus Group’s ever-evolving and expanding arsenal of tools, tactics, and techniques. Park emphasized that the Lazarus Group remains a highly active and adaptable threat actor in the current cybersecurity landscape, with a deep understanding of IT environments and a strategy that efficiently spreads malware once initial infections are achieved.
CyberSec84 | Cybersecurity news. 
Leave a comment