Security researchers have uncovered attempts by cybercriminals to deploy Lazarus malware using legitimate South Korean security software and digital certificates stolen from two companies.
The attackers took advantage of South Korean internet users being accustomed to installing additional security software when visiting government or banking websites, according to cybersecurity firm ESET.
Hackers used the stolen digital certificates to bypass WIZVERA VeraPort security software, which would then camouflage the malicious payload as a legitimate download for users.
However, ESET stressed that the attacks are deployed at websites that “use WIZVERA VeraPort, rather than at WIZVERA” the company.
WIZVERA VeraPort is used to digitally sign and cryptographically verify downloads.
“When WIZVERA VeraPort is installed, users receive and install all necessary software required by a specific website. Minimal user interaction is required to start such software installation,” explains Anton Cherepanov, ESET researcher who led the investigation into the attack.
“Usually this software is used by government and banking websites in South Korea. For some of these websites it’s mandatory to have WIZVERA VeraPort installed.”
The incident is an example of a supply chain attack, in which hackers target a less secure part of an organisation, such as a third-party vendor, to cause damage. In this case, the two companies that had their digital certificates stolen are the vulnerable link.
ESET said it had so far observed two Lazarus malware samples delivered using this “novel” supply chain method.
Those that download the malicious software unwittingly installs a remote access trojan that can carry out covert surveillance, exfiltrate data or remotely control the machine.
Lazarus is an umbrella term for threat groups with ties to North Korea. The group rose to prominence after it was connected to the Sony hack in 2014.
The researchers tied it to the Lazarus cybercrime group due to the similar toolset characteristics of the attack, the fact it took place in South Korea, and the “setup of network infrastructure”.
Javvad Malik, security awareness advocate at cybersecurity training firm KnowBe4, said: “This attack by Lazarus group is yet another example of how cybercriminals will try to compromise the supply chain at any weak spot to gain access.
“It’s therefore essential that all organisations have effective and robust security controls in place to maintain the integrity of its supply chain and the security of transactions which take place across it. We saw Petya ransomware spread through most of Ukraine due to a compromised tax filing software. Government departments in particular need to keep a close eye on mandatory software or portals which, if compromised, can quickly have large impacts.”