October 27, 2023 at 11:43AM
The Lazarus Group, a North Korea-linked threat actor, has launched a new cyber attack campaign targeting a software vendor through known security flaws in another software. The attack involved the deployment of malware families such as SIGNBT and LPEClient. The Lazarus Group has demonstrated advanced evasion techniques and targeted other software makers in the past. Multiple victims were identified, but the exact method of attack remains unknown. This is another example of the Lazarus Group’s evolving tactics and sophistication in cyber operations.
Key Takeaways from Meeting Notes:
1. The Lazarus Group, aligned with North Korea, carried out a cyber attack targeting a software vendor.
2. The attack involved exploiting known security flaws in another high-profile software.
3. Malware families, including SIGNBT and LPEClient, were deployed in the attack.
4. The Lazarus Group employed advanced evasion techniques and used SIGNBT malware for victim control.
5. The attacked software company has been targeted by Lazarus multiple times, suggesting an attempt to steal source code or poison the software supply chain.
6. Victims were targeted through a legitimate security software that encrypts web communications using digital certificates.
7. The exact mechanism of how the software was weaponized to distribute SIGNBT is unknown.
8. The attack chains utilized an in-memory loader to launch the SIGNBT malware.
9. SIGNBT establishes contact with a remote server and retrieves further commands for execution.
10. The Windows backdoor deployed in the attack has various capabilities to control the victim’s system.
11. At least three different Lazarus campaigns were identified in 2023 with varied intrusion vectors but consistently using LPEClient malware.
12. The Lazarus Group has targeted cryptocurrency companies using trojanized software.
13. These findings highlight the ongoing threat of North Korean-linked cyber operations and the ever-evolving tactics of the Lazarus Group.