A cascade of compromise: unveiling Lazarus' new campaign
Contents
Earlier this year, a software vendor was compromised by the Lazarus malware delivered through unpatched legitimate software. What’s remarkable is that these software vulnerabilities were not new, and despite warnings and patches from the vendor, many of the vendor’s systems continued to use the flawed software, allowing the threat actor to exploit them. Fortunately, a proactive response by us detected an attack on another vendor and effectively thwarted the attacker’s efforts.
Upon further investigation, we discovered that the software vendor that developed the exploited software had previously fallen victim to Lazarus several times. This recurring breach suggested a persistent and determined threat actor with the likely objective of stealing valuable source code or tampering with the software supply chain, and they continued to exploit vulnerabilities in the company’s software while targeting other software makers.
The adversary demonstrated a high level of sophistication, employing advanced evasion techniques and introducing SIGNBT malware for victim …
Upon further investigation, we discovered that the software vendor that developed the exploited software had previously fallen victim to Lazarus several times. This recurring breach suggested a persistent and determined threat actor with the likely objective of stealing valuable source code or tampering with the software supply chain, and they continued to exploit vulnerabilities in the company’s software while targeting other software makers.
The adversary demonstrated a high level of sophistication, employing advanced evasion techniques and introducing SIGNBT malware for victim …
IoC
31af3e7fff79bc48a99b8679ea74b589
3a77b5054c36e6812f07366fb70b007d
54df2984e833ba2854de670cce43b823
88a96f8730b35c7406d57f23bbba734d
9b62352851c9f82157d1d7fcafeb49d3
9cd90dff2d9d56654dbecdcd409e1ef3
Ae00b0f490b122ebab614d98bb2361f7
E89fa6345d06da32f9c8786b65111928
e6fa116ef2705ecf9677021e5e2f691e
http://ictm.or.kr/UPLOAD_file/board/free/edit/index.php
http://samwoosystem.co.kr/board/list/write.asp
http://theorigin.co.kr:443/admin/management/index.php
http://ucware.net/skins/PHPMailer-master/index.php
http://www.friendmc.com/upload/board/asp20062107.asp
http://www.hankooktop.com/ko/company/info.asp
http://www.khmcpharm.com/Lib/Modules/HtmlEditor/Util/read.cer
http://www.vietjetairkorea.com/INFO/info.asp
http://yoohannet.kr/min/tmp/process/proc.php
https://admin.esangedu.kr/XPaySample/submit.php
https://api.shw.kr/login_admin/member/login_fail.php
https://hicar.kalo.kr/data/rental/Coupon/include/inc.asp
https://hspje.com:80/menu6/teacher_qna.asp
https://kscmfs.or.kr/member/handle/log_proc.php
https://kstr.radiology.or.kr/upload/schedule/29431_1687715624.inc
https://little-pet.com/web/board/skin/default/read.php
https://mainbiz.or.kr/SmartEditor2/photo_uploader/popup/edit.asp
https://mainbiz.or.kr/include/common.asp
https://new-q-cells.com/upload/newsletter/cn/frame.php
https://pediatrics.or.kr/PubReader/build_css.php
https://pms.nninc.co.kr/app/content/board/inc_list.asp
https://safemotors.co.kr/daumeditor/pages/template/template.asp
https://swt-keystonevalve.com/data/editor/index.php
https://vnfmal2022.com/niabbs5/upload/gongji/index.php
https://warevalley.com/en/common/include/page_tab.asp
https://www.blastedlevels.com/levels4SqR8/measure.asp
https://www.droof.kr/Board/htmlEdit/PopupWin/Editor.asp
https://www.friendmc.com:80/upload/board/asp20062107.asp
https://www.hanlasangjo.com/editor/pages/page.asp
https://www.happinesscc.com/mobile/include/func.asp
https://www.healthpro.or.kr/upload/naver_editor/subview/view.inc
https://www.medric.or.kr/Controls/Board/certificate.cer
https://www.muijae.com/daumeditor/pages/template/simple.asp
https://www.muijae.com/daumeditor/pages/template/template.asp
https://www.nonstopexpress.com/community/include/index.asp
https://www.seoulanesthesia.or.kr/mail/mail_211230.html
https://www.seouldementia.or.kr/_manage/inc/bbs/jiyeuk1_ok.asp
https://www.siriuskorea.co.kr/mall/community/bbs_read.asp
https://yoohannet.kr/min/tmp/process/proc.php
3a77b5054c36e6812f07366fb70b007d
54df2984e833ba2854de670cce43b823
88a96f8730b35c7406d57f23bbba734d
9b62352851c9f82157d1d7fcafeb49d3
9cd90dff2d9d56654dbecdcd409e1ef3
Ae00b0f490b122ebab614d98bb2361f7
E89fa6345d06da32f9c8786b65111928
e6fa116ef2705ecf9677021e5e2f691e
http://ictm.or.kr/UPLOAD_file/board/free/edit/index.php
http://samwoosystem.co.kr/board/list/write.asp
http://theorigin.co.kr:443/admin/management/index.php
http://ucware.net/skins/PHPMailer-master/index.php
http://www.friendmc.com/upload/board/asp20062107.asp
http://www.hankooktop.com/ko/company/info.asp
http://www.khmcpharm.com/Lib/Modules/HtmlEditor/Util/read.cer
http://www.vietjetairkorea.com/INFO/info.asp
http://yoohannet.kr/min/tmp/process/proc.php
https://admin.esangedu.kr/XPaySample/submit.php
https://api.shw.kr/login_admin/member/login_fail.php
https://hicar.kalo.kr/data/rental/Coupon/include/inc.asp
https://hspje.com:80/menu6/teacher_qna.asp
https://kscmfs.or.kr/member/handle/log_proc.php
https://kstr.radiology.or.kr/upload/schedule/29431_1687715624.inc
https://little-pet.com/web/board/skin/default/read.php
https://mainbiz.or.kr/SmartEditor2/photo_uploader/popup/edit.asp
https://mainbiz.or.kr/include/common.asp
https://new-q-cells.com/upload/newsletter/cn/frame.php
https://pediatrics.or.kr/PubReader/build_css.php
https://pms.nninc.co.kr/app/content/board/inc_list.asp
https://safemotors.co.kr/daumeditor/pages/template/template.asp
https://swt-keystonevalve.com/data/editor/index.php
https://vnfmal2022.com/niabbs5/upload/gongji/index.php
https://warevalley.com/en/common/include/page_tab.asp
https://www.blastedlevels.com/levels4SqR8/measure.asp
https://www.droof.kr/Board/htmlEdit/PopupWin/Editor.asp
https://www.friendmc.com:80/upload/board/asp20062107.asp
https://www.hanlasangjo.com/editor/pages/page.asp
https://www.happinesscc.com/mobile/include/func.asp
https://www.healthpro.or.kr/upload/naver_editor/subview/view.inc
https://www.medric.or.kr/Controls/Board/certificate.cer
https://www.muijae.com/daumeditor/pages/template/simple.asp
https://www.muijae.com/daumeditor/pages/template/template.asp
https://www.nonstopexpress.com/community/include/index.asp
https://www.seoulanesthesia.or.kr/mail/mail_211230.html
https://www.seouldementia.or.kr/_manage/inc/bbs/jiyeuk1_ok.asp
https://www.siriuskorea.co.kr/mall/community/bbs_read.asp
https://yoohannet.kr/min/tmp/process/proc.php