A North Korea-linked hacking group known as Lazarus is likely behind a compromised version of a popular IDA Pro reverse engineering application, in the second Democratic People's Republic of Korea (DPRK) assault against cybersecurity researchers discovered this year.
IDA Pro is an application that converts an executable file into assembly language, allowing cybersecurity experts and programmers to examine legitimate software for bugs and to determine malicious behavior.
Due to its high cost, some researchers often download a pirated cracked version; as with any pirated software, there is always the risk of running malicious executables. This is exactly what ESET researcher Anton Cherepanov spotted in a compromised version of IDA Pro 7.5, distributed by the Lazarus hacker group.
Threat actors inject two malicious DLLs named idahelp.dll and win_fw.dll into the IDA pro installer that will be launched when the program is installed. The win_fw.dll file manufactures a new task in the Windows Task Scheduler that executes the idahelper.dll program.
The idahelper.dll will then link to the devguardmap[.]org site and install malicious payloads believed to be the NukeSped remote access trojan. The installed RAT will allow the cybercriminals to gain access to the security researcher's device to steal files, take screenshots, log keystrokes, or execute further commands.
"Based on the domain and trojanized application, we attribute this malware to known Lazarus activity, previously reported by Google's Threat Analysis Group and Microsoft," ESET tweeted regarding connection to Lazarus.
A North Korean hacking group, tracked as Zinc by Microsoft, has a long history of targeting security researchers with backdoors and remote access trojans. Earlier this year in January, Google revealed that Lazarus designed a plot to launch a mass-scale social media campaign to create fake personas posing as vulnerability researchers.
Using these personas, the hackers contact other security researchers regarding potential collaboration in vulnerability research. After establishing contact with a researcher, the hackers sent malicious Visual Studio projects with malware as prebuilt binaries. This includes the Comebacker dynamic link library (DLL) which attempts to perform privilege escalation for processes and the Klackring DLL that registers malicious services on the researcher's device.
APT groups in North Korea are increasing with each passing day and are directly linked to the regime of Kim Jong Un. Lazarus is the largest and most prolific of those groups and is believed to be responsible for an attack on COVID-19 vaccine makers in December 2020, to steal intellectual property.
