The Lazarus Group, a North Korea-linked cybercrime group, has been observed using undisclosed software vulnerabilities to breach a South Korean financial business entity twice in one year.
In May 2022, the group used a vulnerable version of a widely used certificate software to infiltrate the entity. However, the group exploited a zero-day vulnerability in the same software in October 2022 to re-infiltrate the entity.
Cybersecurity firm AhnLab Security Emergency Response Center (ASEC) refrained from mentioning the software due to the vulnerability’s incomplete verification and a lack of a software patch.
The Lazarus Group used a BYOVD (Bring Your Own Vulnerable Driver) attack to disable the AhnLab V3 anti-malware engine after performing lateral movement by exploiting the zero-day vulnerability.
The group also employed anti-forensic techniques like changing file names and modifying timestamps using a technique known as timestomping to conceal its malicious behavior.
The attack enabled the group to install multiple backdoor payloads designed to connect to a remote command-and-control server and retrieve additional binaries to execute them in a fileless manner.
The Lazarus Group is continuously changing its tactics, techniques, and procedures (TTPs) to interfere or delay detection and analysis to infiltrate Korean institutions and companies.
This comes a week after ESET reported a new implant called WinorDLL64, which the Lazarus Group deploys by means of a malware loader named Wslink. Cybersecurity experts are concerned that the Lazarus Group’s activity could affect financial institutions and other industries beyond South Korea.
In conclusion, the Lazarus Group’s use of undisclosed software vulnerabilities to breach a South Korean financial business entity twice in one year highlights the importance of identifying and patching software vulnerabilities.
Additionally, organizations should implement robust cybersecurity measures to prevent cyber attacks, including BYOVD attacks, and employ anti-forensic techniques to detect and analyze suspicious behavior.
Finally, cybersecurity experts should continue to monitor the Lazarus Group’s activity and identify any new tactics or techniques that they may use to infiltrate institutions and companies beyond South Korea.
