Lazarus Adds Supply Chain Attack to List of Capabilities

7 Min Read

North Korean advanced persistent threat group Lazarus – aka Hidden Cobra – is developing supply chain attack capabilities using its multiplatform malware framework, MATA, for cyberespionage goals, according to researchers.

In June, the group was using the MATA framework – which can attack Windows, Linux and macOS operating systems – to target the defense industry, according to Kaspersky researchers, who add that the group is likely using MATA for cyberespionage purposes.

Lazarus has been using the MATA framework to deliver payloads since 2019, according to earlier disclosures by security firms Kaspersky and NetLabs (see: Lazarus Group Deploying Fresh Malware Framework).

“The actor delivered a Trojanized version of an application known to be used by their victim of choice – a well-known Lazarus characteristic. Notably, this is not the first time the Lazarus Group has attacked the defense industry. Their previous ThreatNeedle campaign was carried out in a similar fashion in mid-2020,” Kaspersky researchers note in the firm’s quarterly threat intelligence summary.

Over the past several years, the Lazarus Group has been tied to a series of financial cybercrimes and cyberespionage campaigns designed to benefit the North Korean government (see: North Korean Hacking Infrastructure Tied to Magecart Hits).

Kaspersky researchers say they also found an updated DeathNote cluster, which consists of a slightly updated variant of BlindingCan. As the Cybersecurity and Infrastructure Security Agency previously reported, the cluster was used to deliver a new variant of CopperHedge (see: CISA, FBI Warn of Malware Tied to North Korean Hackers).

Lazarus used the BlindingCan and CopperHedge backdoors to attack a think tank in South Korea in June, a Latvian IT asset-monitoring tool vendor in May and undisclosed organizations in the defense industry, according to Kaspersky.
Supply chain attacks, such as the one described by the researchers, take advantage of the trust companies have in their vendors – especially security vendors – and the tools they install in company environments, says Erich Kron, security awareness advocate at cybersecurity firm KnowBe4.

“These tools often have a high level of permissions, which makes the deployment of malicious payloads a trivial task. Unfortunately, the very tools that are compromised may even be the same tools tasked to stop or discover an intrusion,” Kron tells ISMG.

During Kaspersky’s initial research on CopperHedge, researchers found Lazarus using a downloader named Racket, which Lazarus signed using a stolen certificate and compromised vulnerable web servers. The group then uploaded several scripts to filter and control the malicious implants on successfully breached machines, the researchers say.
Cybercriminals are exploiting vulnerabilities in the supply chain to wreak havoc on large enterprises, says Demi Ben-Ari, CTO and co-founder at Panorays.

“In this case, the Lazarus hacking group targeted a South Korean think tank through a Latvian IT vendor, reflecting the same strategy that was used in the SolarWinds and Accellion breaches,” Ben-Ari notes. “These types of cyberattacks drive home the fact that an organization is only as secure as the third parties to which it is connected.”

Senior security researcher at Kaspersky’s Global Research and Analysis Team Ariel Jungheit says the recent developments highlight two things: Lazarus remains interested in the defense industry, and it is looking to expand its capabilities with supply chain attacks.

“This APT group is not the only one seen using supply chain attacks. In the past quarter, we have also tracked such attacks carried out by SmudgeX and BountyGlad. When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization – something we saw clearly with the SolarWinds attack last year. With threat actors investing in such capabilities, we need to stay vigilant and focus defense efforts on that front,” Jungheit notes.

Lazarus commonly uses spear-phishing as an initial attack vector, according to KnowBe4’s Kron. To defend against them, he says, organizations should teach users how to spot and report these social engineering attacks.
To avoid falling victim to a targeted attack by a known or unknown threat actor, the researchers recommend that companies offer SOC teams access to the latest threat intelligence and upskill their cybersecurity teams to tackle the latest targeted threats.

In addition, for endpoint-level detection, investigation and timely remediation of incidents, the researchers suggest implementing EDR solutions and adopting essential endpoint protection ,as well as putting in place a corporate-grade security solution that detects advanced threats on the network level at an early stage.

It’s essential for every organization to have a robust and automated third-party security risk management process in place that assesses and continuously monitors the cyber posture of all suppliers, vendors and business partners, Panorays’ Ben-Ari notes.

The Lazarus Group has been tied to several high-profile attacks. It was reportedly behind the WannaCry worm in 2017, the theft of $81 million from a Bangladesh bank and the attack on Sony Pictures in 2014.

In February, a report by Kaspersky found that the Lazarus Group had been conducting a campaign against defense industry targets in more than a dozen countries using the ThreatNeedle backdoor, which moves laterally through networks and overcomes network segmentation (see: Lazarus Hits Defense Firms With ThreatNeedle Malware).

In March, the group began deploying TFlower ransomware, using its MATA malware framework. The deployment raised the possibility that the Lazarus Group is either the group behind TFlower or has some level of collaboration with it in terms of operations or capabilities. Alternatively, the group may be masquerading as TFlower for some of its ransomware operations, according to a report (see: Lazarus Group Tied to TFlower Ransomware).

The U.S. government has in the past issued frequent warnings about North Korean-sponsored hackers and published data on nearly 30 malware variants associated with hacking groups suspected of working with the regime (see: Group Behind WannaCry Now Using New Malware).

Source: GovInfoSecurity

Share This Article
Leave a comment