The Lazarus hacker gang, which is backed by North Korea, has shifted its emphasis to new targets and has been detected by Kaspersky security experts improving its supply chain assault capabilities. After breaching a Latvian IT provider in May, Lazarus utilized a new form of the BLINDINGCAN backdoor to attack a South Korean research tank in June.
Lazarus built an infection chain in the first case found by Kaspersky researchers, which began with legitimate South Korean security software distributing a malicious payload. The target in the second case was a Latvian company that develops asset monitoring solutions, an unusual victim for Lazarus. CISA and the FBI were the first to notice the backdoor utilized in these assaults. It can elude detection by removing itself from infiltrated computers, exfiltrate data, create and destroy processes, and tamper with file and folder timestamps, according to the researchers.
The infection chain included the Racket downloader, which was signed with a stolen certificate. The hacker gang infiltrated weak web servers and installed scripts that gave them control over the dangerous implants.
Lazarus has been targeting the defence industry using the MATA malware architecture for cyber-espionage purposes for some months, according to Kaspersky. MATA had previously been utilized by the gang for a variety of reasons, including data theft and ransomware transmission. A downloader was used to collect further malware from the command and control (C&C) server in the attacks, which leveraged a multi-stage infection chain. For this campaign, Lazarus upgraded the MATA framework and signed some of its components with a legitimate but stolen digital certificate.
“Through this research, we discovered a stronger connection between MATA and the Lazarus group, including the fact that the downloader malware fetching MATA malware showed ties to TangoDaiwbo, which we had previously attributed to the Lazarus group,” Kaspersky said.
Lazarus, also known as Hidden Cobra, has been active since at least 2009 and is suspected of orchestrating a number of high-profile strikes. In 2020, the group targeted COVID-19 research, as well as members of the security research community and vaccine maker Pfizer.
"These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks," said Ariel Jungheit, a senior security researcher at Kaspersky. "When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization – something we saw clearly with the SolarWinds attack last year."
