October 27, 2023 at 12:52PM
The North Korean Lazarus hacking group repeatedly targeted a software vendor, breaching their system multiple times despite patches and warnings. Kaspersky discovered the attack, which was part of a broader campaign that involved Lazarus targeting various software vendors. The hackers used the SIGNBT malware and LPEClient info-stealer to gain access to compromised systems. This highlights the need for organizations to proactively patch software and prevent vulnerabilities from being exploited. Lazarus remains a highly active and dangerous threat actor.
Key Takeaways from Meeting Notes:
1. Lazarus, a North Korean hacking group, repeatedly breached a software vendor’s systems despite patches and warnings from the developer. This suggests the hackers aimed to steal source code or carry out a supply chain attack.
2. Kaspersky discovered the attack in July 2023 and observed Lazarus using a diverse infection chain and post-compromise toolset.
3. The attack was part of a broader campaign by Lazarus targeting various software vendors from March 2023 to August 2023.
4. Lazarus targeted security software used for web communications encryption, but the exact exploitation method is unknown.
5. The SIGNBT malware was deployed by Lazarus, using shellcode to inject the payload into memory. Persistence was achieved through modifications to the Windows Registry or by adding a malicious DLL to Startup.
6. SIGNBT communicates with Lazarus’ command and control server and supports various commands for system information, process management, file system operations, and more.
7. SIGNBT can also fetch additional payloads from the command and control server and deploy them on the compromised system.
8. Lazarus leverages SIGNBT to load credential dumping tools and the LPEClient malware, which is an info-stealer and malware loader.
9. LPEClient has evolved with advanced techniques to improve stealth and avoid detection.
10. Lazarus has used LPEClient in other campaigns in 2023, but it was previously employed at earlier infection phases to inject other payloads.
11. Lazarus is a highly active and dangerous threat actor with a broad targeting scope across regions and industries.
12. Organizations should proactively patch software and prevent easy exploitation of vulnerabilities to defend against Lazarus’ sophisticated tactics.