Kaspersky records cyberattacks on pharmaceutical companies and a department of a health ministry. The attacks on COVID-19 vaccine research point to the Lazarus group.
Kaspersky researchers identified two targeted attacks on facilities linked to the COVID-19 research in the fall. A health ministry and a pharmaceutical company were affected. The Kaspersky experts assume that the infamous Lazarus group is behind these attacks.
Attack scheme indicates Lazarus
The first attack was on a Health Ministry facility, with two Windows servers compromised with sophisticated malware on October 27, 2020. The analysis of the already known malware 'wAgent' has shown that it has an identical infection scheme that was previously used by the Lazarus group to attack companies in the cryptocurrency sector.
The second incident involved a pharmaceutical company that was attacked on September 25, 2020, according to Kaspersky telemetry. The company is developing a COVID-19 vaccine and has already received authorization to manufacture and distribute it. This time, the attacker used 'Bookcode' malware, previously associated with Lazarus in an attack through the supply chain of a South Korean software company. Kaspersky researchers have also identified spear phishing activities or strategic website compromises by the Lazarus Group in the past with the aim of spreading the Bookcode malware.
wAgent and Bookcode malware
Both the wAgent and the bookcode malware used in the attacks have similar functionality, such as a fully functional backdoor. After the final payload is deployed, the malware actor can control the victim's computer in almost any way. Due to the overlap found, the Kaspersky researchers attribute the attacks with a high degree of probability to the Lazarus group. The investigations are still ongoing.
"These two incidents show Lazarus' interest in information related to COVID-19," said Seongsu Park, security researcher at Kaspersky. “While the group is best known for its activities in the financial sector, this shows that strategic research is also relevant to them. We believe that any entity currently involved in vaccine research or COVID-19 crisis management should be on high alert to cyberattacks." Kaspersky products detect the wAgent malware as HEUR:Trojan.Win32.Manuscrypt.gen and Trojan.Win64.Manuscrypt.bx.
More on this at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/