Lazarus malware delivered to South Korean users via supply chain attacks

[Forum Library]

Security experts from ESET reported that North-Korea-linked Lazarus APT (aka HIDDEN COBRA) is behind cyber campaigns targeting South Korean supply chains. According to the experts the nation-state actors leverage stolen security certificates from two separate, legitimate South Korean companies.

The activity of the Lazarus APT group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

According to a report published by Kaspersky Lab in January 2020, in the two years the North Korea-linked APT group has continued to target cryptocurrency exchanges evolving its TTPs.

In August, F-Secure Labs experts observed a spear-phishing campaign targeting an organization in the cryptocurrency industry.

In campaigns spotted by ESET, Lazarus attackers attempted to deploy their malware via a supply-chain attack in South Korea.

“In order to deliver its malware, the attackers used an unusual supply-chain mechanism, abusing legitimate South Korean security software and digital certificates stolen from two different companies.” reads the analysis published by ESET.

The attackers are attempting to exploit the need to install additional security software when South Korean users visit government or financial services websites.

The WIZVERA VeraPort integration installation program is used to manage additional security software (e.g., browser plug-ins, security software, identity verification software, etc.) that is requested to visit particular government and banking domains.

WIZVERA VeraPort is used to digitally sign and verify downloads.

Websites that support the WIZVERA VeraPort software contain a server-side component, specifically some JavaScripts and a WIZVERA configuration file. The configuration file is base64-encoded XML containing multiple parameters, including the website address, the list of software to install, and download URLs. Attackers can replace the software to be delivered to users via WIZVERA VeraPort from a legitimate, compromised website

“These configuration files are digitally signed by WIZVERA. Once downloaded, they are verified using a strong cryptographic algorithm (RSA), which is why attackers can’t easily modify the content of these configuration files or set up their own fake website.” continues the report. “However, the attackers can replace the software to be delivered to WIZVERA VeraPort users from a legitimate but compromised website. We believe this is the scenario the Lazarus attackers used.”

Lazarus threat actors were able to obtain code-signing certificates from two South Korean security companies in order to carry out supply chain attacks.

The experts pointed out that WIZVERA VeraPort only verifies the signature for the downloaded binaries, without checking to whom it belongs.

This behavior opens the door to attacks, for this reason, Lazarus APT leverages on valid, but stolen digital certificates to deliver their malware.

Experts detected two malware samples that were delivered with this technique as legitimate, South Korean software. The software appears to be legitimate, it uses similar names, icons, icons, and VERSIONINFO resources as legitimate South Korean software often delivered via WIZVERA VeraPort.

When a victim visits a compromised website, the WIZVERA VeraPort will serve a dropper for the Lazarus malware, which extracts a downloader and configuration files.

Then the malware connects to the attacker’s command-and-control (C2) server and the final payload, which is a Remote Access Trojan (RAT), is deployed on the victim’s machine.

“It’s the combination of compromised websites with WIZVERA VeraPort support and specific VeraPort configuration options that allow attackers to perform this attack,” ESET concludes. “Owners of such websites could decrease the possibility of such attacks, even if their sites are compromised, by enabling specific options (e.g. by specifying hashes of binaries in the VeraPort configuration).”

 

[Carding]

Payment service CoinsPaid resumed operations after a hacker attack on July 22 for $37 million. Developers suspect the involvement of the North Korean Lazarus Group.

Representatives of the company said that customer funds were not affected, however, the hack affected the availability and revenue of the platform.

“Probably, Lazarus expected that the attack on CoinsPaid would be more successful. In response to the hack, a dedicated team of company experts worked tirelessly to harden our systems and mitigate the impact. The security measures and procedures have enabled the platform to prevent a larger loss of funds,” the firm said in a statement.

Following the attack, the platform immediately initiated an investigation to trace and label the stolen funds. Crystal, Chainalysis, Match Systems, Valkyrieinvest, Staked.us, OKCoinJapan and Binance are helping with this project.

The firm also filed a complaint with law enforcement. According to Max Krupyshev, CEO of CoinsPaid, it will take several more days to restore all the systems of the project.

Analysts at the firm noted that the Lazarus Group was allegedly responsible for the hacks of other crypto companies, including the Ronin sidechain, the Atomic Wallet wallet, the Alphapo platform, and the Horizon cross-chain bridge.

In the near future, CoinsPaid will organize a "round table" with all victims of North Korean hackers to announce a new initiative aimed at minimizing and preventing similar attacks in the future.

 

[Carding]

Meet Lazarus, CoinsPaid's new HR Manager!

Estonian cryptocurrency payment processing company CoinsPaid has found out exactly how Lazarus hackers from North Korea gained access to its systems on July 23. Then more than $37 million was stolen.

Using fake recruiters, allegedly from other organizations, the attackers offered CoinsPaid employees jobs. The most attractive condition for the job was the salary-from $16,000 to $24,000 per month.

One of the employees agreed to an online interview with the "employer". During the interview, he was asked to download special software and complete a test task. The man, according to the investigation, installed JumpCloud Agent or another program containing malicious files on his PC. The JumpCloud platform itself was probably also hacked by hackers in July to target cryptocurrency exchanges.

Experts note that all actions of Lazarus were carefully planned. They spent six months studying CoinsPaid, collecting information about the structure and technical features of the service. This explains why the manipulations looked extremely plausible and did not arouse any suspicions in the victim.

"Having gained access to the CoinsPaid infrastructure, the attackers used the system vulnerability as a backdoor," CoinsPaid said. "The knowledge gained during the research phase allowed them to send requests to interact with the blockchain and withdraw funds from our operational storage."

Before the July 23 attack, hackers repeatedly tried to break into the platform, starting in March 2023, but after several unsuccessful attempts, they changed their approach. Social engineering was chosen as the main method, focusing on individual employees rather than the company as a whole.

CoinsPaid also revealed that it is partnering with blockchain security organization Match Systems to track stolen funds. It is already known that most of the cryptocurrency was transferred to SwftSwap. According to experts, the transaction scheme used by criminals is similar to the actions of Lazarus during the hacking of Atomic Wallet in the amount of $35 million in June.

 

[Carding]

How a vulnerability in Zoho ManageEngine products opened up a gold mine for North Korean hackers.

The Lazarus hacker group from North Korea is actively exploiting a critical vulnerability in the Zoho ManageEngine software to attack many companies from different countries.

The malicious operation was launched earlier this year and was aimed at compromising organizations in the United States and the United Kingdom in order to install the QuiteRAT malware and the new CollectionRAT Trojan.

Information about CollectionRAT appeared after researchers analyzed the infrastructure used for campaigns, which the attacker used for other attacks as well.

"In early 2023, we saw Lazarus Group successfully compromise an Internet backbone infrastructure provider in the United Kingdom to successfully deploy QuiteRAT. Attackers used a vulnerable instance of ManageEngine ServiceDesk to gain initial access, " Cisco Talos researchers reported.

Lazarus first deployed a PoC exploit for vulnerability CVE-2022-47966, a remote code execution error with pre-authentication, just 5 days after it was published by a team of Horizon3 researchers.

In the second half of 2022, attackers used the MagicRat malware in their attacks. At that time, energy suppliers in the United States, Canada and Japan suffered very significant damage.

Then, in February 2023, researchers discovered the QuiteRAT malware. It is described as a simple but powerful remote access Trojan, which appears to be a major improvement over MagicRAT.

QuiteRAT's code is reportedly more compact than MagicRAT's , and careful selection of Qt libraries has reduced its size from 18 MB to just 4 MB while maintaining the same feature set.

Today, Cisco Talos reported in a separate report on a new Trojan called CollectionRAT, which Lazarus hackers used in their most recent attacks. It is related to the EarlyRAT family and has very extensive capabilities.

CollectionRAT's functionality includes executing arbitrary commands, managing files, collecting system information, creating a reverse shell, creating new processes, fetching and launching new payloads, and finally self-deletion.

Another interesting element of CollectionRAT is the implementation of the Microsoft Foundation Class (MFC) framework, which allows the Trojan to decrypt and execute its code on the fly, evade detection and hinder analysis.

Additional signs of evolution in Lazarus tactics, methods, and procedures that Cisco Talos has noticed include extensive use of open source tools and frameworks, such as Mimikatz for credential theft, PuTTY Link (Plink) for remote tunneling, and DeimosC2 for communicating with the management server.

This approach helps Lazarus hackers leave fewer distinct traces and, therefore, makes it more difficult to determine authorship, track it, and develop effective security measures.

 

[Carding]

Было замечено, что связанный с Северной Кореей субъект угрозы, известный как Lazarus Group, использует исправленную критическую уязвимость безопасности, влияющую на Zoho ManageEngine ServiceDesk Plus, для распространения троянца удаленного доступа с таким названием, как QuiteRAT.

Целями являются магистральная инфраструктура Интернета и организации здравоохранения в Европе и США, сообщила компания Cisco Talos по кибербезопасности в двухчастном анализе, опубликованном сегодня.

Более того, более тщательное изучение переработанной инфраструктуры атак противника при его кибератаках на предприятия привело к обнаружению новой угрозы, получившей название CollectionRAT.

Тот факт, что Lazarus Group продолжает полагаться на ту же технологию, несмотря на то, что эти компоненты были хорошо документированы на протяжении многих лет, подчеркивает уверенность субъекта угрозы в своих операциях, отметил Талос.

Говорят, что QuiteRAT является преемником MagicRAT, который сам является продолжением TigerRAT, в то время как CollectionRAT, похоже, частично совпадает с EarlyRAT (он же Jupiter), имплантатом, написанным на PureBasic, с возможностями запуска команд на конечной точке.

"QuiteRAT обладает многими из тех же возможностей, что и более известная вредоносная программа MagicRAT от Lazarus Group, но размер ее файла значительно меньше", - заявили исследователи безопасности Ашир Малхотра, Витор Вентура и Чонсу Ан. "Оба имплантата построены на платформе Qt и включают такие возможности, как выполнение произвольных команд".

Использование платформы Qt рассматривается как преднамеренная попытка злоумышленника значительно усложнить анализ, поскольку это "увеличивает сложность кода вредоносного ПО".

Активность, обнаруженная в начале 2023 года, включала использование CVE-2022-47966, всего через пять дней после появления в Сети подтверждения концепции (Poc) уязвимости, для прямого развертывания двоичного файла QuiteRAT с вредоносного URL.

"QuiteRAT, несомненно, является эволюцией MagicRAT", - сказали исследователи. "В то время как MagicRAT - это более крупное семейство вредоносных программ, размер которых составляет в среднем около 18 МБ, QuiteRAT - это гораздо меньшая реализация, размер которой составляет в среднем от 4 до 5 МБ".

Другим важным различием между ними является отсутствие встроенного механизма сохранения в QuiteRAT, что требует выдачи команды с сервера для обеспечения продолжения работы на скомпрометированном хосте.

Результаты также совпадают с другой кампанией, раскрытой WithSecure ранее в феврале этого года, в ходе которой недостатки безопасности в не исправленных устройствах Zimbra использовались для взлома систем жертв и, в конечном итоге, установки QuiteRAT.

Cisco Talos заявила, что злоумышленник "все больше полагается на инструменты и фреймворки с открытым исходным кодом на этапе начального доступа к своим атакам, в отличие от строгого использования их на этапе после компрометации".

Сюда входит основанная на GoLang платформа с открытым исходным кодом DeimosC2 для получения постоянного доступа, при этом CollectionRAT в основном используется для сбора метаданных, выполнения произвольных команд, управления файлами в зараженной системе и доставки дополнительных полезных нагрузок.

Не сразу ясно, как распространяется CollectionRAT, но данные показывают, что троянская копия утилиты PuTTY Link (Plink), размещенная в той же инфраструктуре, используется для создания удаленного туннеля к системе и обслуживания вредоносного ПО.

"Ранее Lazarus Group полагалась на использование пользовательских имплантатов, таких как MagicRAT, VSingle, Dtrack и YamaBot, как на средство установления постоянного начального доступа к успешно скомпрометированной системе", - сказали исследователи.

"Затем эти имплантаты используются для развертывания различных инструментов с открытым исходным кодом или двойного назначения для выполнения множества вредоносных действий с использованием клавиатуры в скомпрометированной корпоративной сети".

Эта разработка свидетельствует о том, что Lazarus Group постоянно меняет тактику и расширяет свой вредоносный арсенал, в то же время применяя недавно обнаруженные уязвимости в программном обеспечении с разрушительным эффектом.

 

[Carding]

How attackers turned WinRAR against South Korea and cryptocurrency services.

A recent report by cybersecurity researchers reveals details of recent attacks on South Korean facilities. Special attention is paid to the activities of hacker groups APT37 and Konni, allegedly linked to North Korea.

As you know, groups of North Korean origin have long chosen the cryptocurrency sector as one of their targets. However, so far the main threat has come from the Lazarus group. The report indicates that Konni has now entered the game, which has recently started using new techniques, including against non-South Korean victims.

As part of the new campaign, attackers exploit a previously unused vulnerability in the WinRAR archiver — CVE-2023–38831 . When a victim tries to open an archived HTML file, the malicious code is activated, allowing attackers to gain remote access to the system.

Equally interesting is the complex mechanism for bypassing security protocols. Once activated, the malware detects whether the device is running on a 64 — bit or 32-bit operating system. Then the code communicates with the server and loads additional instructions encoded in Base64 format. These instructions are converted to an executable file and run.

Then the program checks whether the computer has a remote session, and what version of the operating system is installed. Depending on the received data, the code chooses one of the UAC (User Account Control) bypass methods to set extended privileges for itself.

Attackers use the technique of dynamically loading additional modules. This allows them to quickly adapt and upgrade their code. At the end of the attack process, a hidden service called "Remote Database Service Update"is created in the system, which makes it difficult to detect the virus and then analyze the incident.

 

[Carding]

$240 Million in 3 Months: Lazarus Fleeces Crypto Platforms One by one

Who will be the next victim of North Korean cybercriminals?

North Korean hacker group Lazarus has stolen almost $240 million worth of cryptocurrencies over the past 3 months, according to the analytical company Elliptic. According to the report published on September 15, the group's activity has been constantly "strengthening" recently.

According to Elliptic, the Lazarus group is associated with five major hacker attacks on cryptocurrency platforms in recent times. The most recent target was the global cryptocurrency exchange CoinEx, from which, according to recent estimates, about $54 million has already been stolen. Elliptic believes that Lazarus is most likely behind this hack.

Elliptic's analysis confirms that some of the funds stolen from CoinEx were transferred to an address previously used by Lazarus to launder funds stolen from Stake's crypto casino.

The FBI last week claimed that Lazarus stole $41 million in cryptocurrency from this platform. This data is consistent with the previously published findings of researcher ZachXBT, who claimed that the CoinEx hackers "accidentally linked their address" to the address used in the Stake attack. The stolen funds were then transferred to Ethereum using a "bridge" previously used by Lazarus.

In addition, Lazarus hackers mixed the stolen funds with addresses seen during the Stake hack, and used an address involved in the $100 million Atomic Wallet hack in June.

"In light of this blockchain activity and the lack of data indicating other threats, Elliptic agrees that the Lazarus group should be suspected of stealing funds from CoinEx," the researchers noted.

Elliptic also stressed that the group's latest attacks are aimed at centralized platforms, possibly because social engineering is more effectively applied to such targets.

CoinEx previously even published an open letter to hackers asking them to contact the company to discuss the possible return of stolen funds on "favorable" terms for all. However, Lazarus hackers are unlikely to be interested in such an offer.