Lazarus Group exploits Zero-Day vulnerability to hack South Korean financial entity

Lazarus Group exploits Zero-Day vulnerability to hack South Korean financial entity

March 8, 2023Ravie LakshmananZero-Day / BYOVD attack

Lazarus Group exploits Zero-Day vulnerability to hack South Korean financial entity

North Korea-affiliated The Lazarus Group has been observed to weaponize an undisclosed software to breach a financial business entity in South Korea twice within a year.

While the first attack in May 2022 involved the use of a vulnerable version of a certificate software widely used by public institutions and universities, the re-infiltration in October 2022 involved exploiting a zero-day in the same program.

Cyber ​​security firm AhnLab Security Emergency Response Center (ASEC) said it is refraining from naming the software due to the fact that “the vulnerability has not been fully verified yet and a software update has not been released.”

The adversary collective, after gaining an initial foothold by an unknown method, abused the zero-day flaw to perform lateral movement, shortly after the AhnLab V3 anti-malware engine was disabled via a BYOVD attack.

It’s worth noting here that the Bring Your Own Vulnerable Driver, aka BYOVD, technique has been used repeatedly by the Lazarus Group in recent months, as documented by both ESET and AhnLab in a series of reports late last year.

Zero-day vulnerability

Other steps to hide the malicious behavior include changing filenames before deleting them and modifying timestamps using an anti-forensic technique referred to as time-stomping.

The attack eventually spawned several backdoor payloads (Keys.dat and Settings.vwx) designed to connect to a remote command-and-control server (C2) and retrieve additional binaries and execute them in a fileless fashion.


Discover the hidden dangers of third-party SaaS apps

Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize your risk.

See also  Urgent warning millions of Netflix users could 'be sent to jail' as streaming companies crack down on big issues


The development comes a week after ESET shed light on a new implant called WinorDLL64 that is distributed by the notorious threat actor using a malware loader called Wslink.

“The Lazarus group researches the vulnerabilities of various other software and constantly changes its TTPs by changing the way they disable security products and perform anti-forensic techniques to disrupt or delay detection and analysis to infiltrate Korean institutions and companies,” ASEC said .

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *