The Lazarus Group's APT (Advanced Persistent Threat) campaign attacks organizations worldwide. The malicious program used for the compromise is distributed via legitimate software.
Kaspersky's Global Research and Analysis Team (GReAT) has identified a number of cybersecurity incidents in which victims were infected using legitimate software designed to encrypt online communications via digital certificates. Even though the vulnerabilities have been reported and patched, organizations worldwide continue to use the malicious version of the software, opening the door for the notorious Lazarus group to enter their network.
Sophisticated attack scheme via supply chain infection of legitimate software
The attackers were very sophisticated in their operation. So they used advanced techniques to avoid detection. They also used SIGNBT, malware, to control victims. In addition, the well-known LPEClient tool was used, which has previously been used in attacks on defense companies, nuclear engineers and in the crypto sector. This malware serves as an initial infection vector and is critical for victim profiling and payload delivery. Kaspersky experts' findings indicate that LPEClient's role in this and other attacks is consistent with the Lazarus Group's previous tactics, such as those seen in the infamous 3CX supply chain attack.
Lazarus group attacks repeatedly
Furthermore, Kaspersky analysis shows that the original victim – the provider of the legitimate software – has been previously attacked multiple times with the Lazarus malware. This pattern of recurring attacks points to a persistent actor, likely intent on stealing critical source code or disrupting a software supply chain. Those behind the campaign consistently exploited the company's software vulnerabilities and attacked other organizations that used the unpatched version of the software. Kaspersky Endpoint Security proactively detected the threat and prevented further attacks on other targets.
“That the Lazarus Group is still active is a testament to its advanced capabilities and unwavering motivation. It operates worldwide and targets various industries using a variety of methods. We believe this is a persistent and evolving threat that requires increased vigilance,” said Seongsu Park, Lead Security Researcher at Kaspersky’s Global Research and Analysis Team.
More at Kaspersky.de
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/