Over the past year, the Lazarus Group has used flaws in an undisclosed software to breach a financial business entity in South Korea on two distinct occasions. As opposed to the first attack in May 2022, the re-infiltration in October 2022 exploited a zero-day vulnerability in the same certificate software widely used by public institutions and universities.
The APT, after gaining an initial foothold through a BYOVD attack, abused the zero-day vulnerability to perform lateral movement. However, AhnLab Security Emergency Response Center (ASEC) said it won’t provide more details as the vulnerability has not yet been fully verified and no patch has been released.
The team has also analyzed other cases but putting the several incidents that have not been disclosed yet together, we can conclude that the Lazarus group is researching the vulnerabilities of various other software and are constantly changing their TTP by altering the way they disable security products and carry out anti-forensic techniques to interfere or delay detection and analysis in order to infiltrate Korean institutions and companies.
More About BYOVD Attack
The Bring Your Own Vulnerable Driver (BYOVD) is a technique repeatedly employed by the Lazarus Group in recent months. As part of its malicious behavior, it changes file names before deleting them and modifies timestamps using an anti-forensic technique known as timestomping.
The attack enabled multiple backdoor payloads (Keys.dat and Settings.vwx) to connect to remote command-and-control servers and retrieve additional binaries and execute them filelessly.
In the past week, according to THN, a new implant called WinorDLL64 was observed being deployed by the threat actor via the malware loader Wslink.
The North Korean Cybercrime Gang
The Lazarus group is already notorious in the world of threat actors. Active since 2009, Lazarus has been linked to ransomware campaigns, cryptocurrency scams, cyberespionage, and others.
In June 2022, the cross-chain bridge Harmony Horizon for Ethereum suffered a security breach. The hackers gained control of a MultiSigWallet contract, transferring large amounts of tokens to their own addresses. Towards the end of the year, in December 2022, Lazarus was revealed to have spread malware using a fake cryptocurrency app called BloxHolder.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
If you liked this post, you will enjoy our newsletter.Get cybersecurity updates you\’ll actually want to read directly in your inbox.