North Korea-affiliated The Lazarus Group has been observed to weaponize an undisclosed software to breach a financial business entity in South Korea twice within a year.
While the first attack in May 2022 involved the use of a vulnerable version of a certificate software widely used by public institutions and universities, the re-infiltration in October 2022 involved exploiting a zero-day in the same program.
Cyber security firm AhnLab Security Emergency Response Center (ASEC) said it is refraining from naming the software due to the fact that “the vulnerability has not been fully verified yet and a software update has not been released.”
The adversary collective, after gaining an initial foothold by an unknown method, abused the zero-day flaw to perform lateral movement, shortly after the AhnLab V3 anti-malware engine was disabled via a BYOVD attack.
It’s worth noting here that the Bring Your Own Vulnerable Driver, aka BYOVD, technique has been used repeatedly by the Lazarus Group in recent months, as documented by both ESET and AhnLab in a series of reports late last year.
Other steps to hide the malicious behavior include changing filenames before deleting them and modifying timestamps using an anti-forensic technique referred to as time-stomping.
The attack eventually spawned several backdoor payloads (Keys.dat and Settings.vwx) designed to connect to a remote command-and-control server (C2) and retrieve additional binaries and execute them in a fileless fashion.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize your risk.
RESERVE YOUR SEAT
The development comes a week after ESET shed light on a new implant called WinorDLL64 that is distributed by the notorious threat actor using a malware loader called Wslink.
“The Lazarus group researches the vulnerabilities of various other software and constantly changes its TTPs by changing the way they disable security products and perform anti-forensic techniques to disrupt or delay detection and analysis to infiltrate Korean institutions and companies,” ASEC said .
