Lazarus supply‑chain attack in South Korea
Contents
ESET researchers uncover a novel Lazarus supply-chain attack leveraging WIZVERA VeraPort software
ESET telemetry data recently led our researchers to discover attempts to deploy Lazarus malware via a supply-chain attack in South Korea. In order to deliver its malware, the attackers used an unusual supply-chain mechanism, abusing legitimate South Korean security software and digital certificates stolen from two different companies.
Lazarus toolset
The Lazarus group was first identified in Novetta’s report Operation Blockbuster in February 2016; US-CERT and the FBI call this group HIDDEN COBRA. These cybercriminals rose to prominence with the infamous case of cybersabotage against Sony Pictures Entertainment.
Some of the past attacks attributed to the Lazarus group attracted the interest of security researchers who relied on Novetta et al.’s white papers with hundreds of pages describing the tools used in the attacks – the Polish and Mexican banks, the WannaCryptor outbreak, phishing campaigns against US defense contractors, Lazarus KillDisk attack against …
ESET telemetry data recently led our researchers to discover attempts to deploy Lazarus malware via a supply-chain attack in South Korea. In order to deliver its malware, the attackers used an unusual supply-chain mechanism, abusing legitimate South Korean security software and digital certificates stolen from two different companies.
Lazarus toolset
The Lazarus group was first identified in Novetta’s report Operation Blockbuster in February 2016; US-CERT and the FBI call this group HIDDEN COBRA. These cybercriminals rose to prominence with the infamous case of cybersabotage against Sony Pictures Entertainment.
Some of the past attacks attributed to the Lazarus group attracted the interest of security researchers who relied on Novetta et al.’s white papers with hundreds of pages describing the tools used in the attacks – the Polish and Mexican banks, the WannaCryptor outbreak, phishing campaigns against US defense contractors, Lazarus KillDisk attack against …
IoC
1EA7481878F0D9053CCD81B4589CECAEFC306CF2
2A2839F69EC1BA74853B11F8A8505F7086F1C07A
3ABFEC6FC3445759730789D4322B0BE73DC695C7
3D311117D09F4A6AD300E471C2FB2B3C63344B1D
4C8DEF294478B7D59EE95C61FAE3D965
5CE3CDFB61F3097E5974F5A07CF0BD2186585776
7DCD340D84F762EBA80AA538B0C527F7
8EDB488B5F280490102241B56F1A8A71EBEEF8E3
9F7B4004018229FAD8489B17F60AADB3281D6177
AA374FA424CC31D2E5EC8ECE2BA745C28CB4E1E8
CB818BE1FCE5393A83FBFCB3B6F4AC5A3B5B8A4B
DC72D464289102CAAF47EC318B6110ED6AF7E5E4
E50AD1A7A30A385A9D0A2C0A483D85D906EF4A9C
FAC3FB1C20F2A56887BDBA892E470700C76C81BA
http://www.cowp.or.kr/html/board/main.asp
http://www.erpmas.co.kr/Member/franchise_modify.asp
http://www.fored.or.kr/home/board/view.php
http://www.gongsinet.kr/comm/comm_gongsi.asp
http://www.goojoo.net/board/banner01.asp
http://www.ikrea.or.kr/main/main_board.asp
http://www.pcdesk.co.kr/Freeboard/mn_board.asp
http://www.pgak.net/service/engine/release.asp
http://www.style1.co.kr/main/view.asp
https://www.gncaf.or.kr/cafe/cafe_board.asp
https://www.hsbutton.co.kr/bbs/bbs_write.asp
https://www.hstudymall.co.kr/easypay/web/bottom.asp
https://www.quecue.kr/okproj/ex_join.asp
https://www.wowpress.co.kr/customer/refuse_05.asp
https://www.zndance.com/shop/post.asp
2A2839F69EC1BA74853B11F8A8505F7086F1C07A
3ABFEC6FC3445759730789D4322B0BE73DC695C7
3D311117D09F4A6AD300E471C2FB2B3C63344B1D
4C8DEF294478B7D59EE95C61FAE3D965
5CE3CDFB61F3097E5974F5A07CF0BD2186585776
7DCD340D84F762EBA80AA538B0C527F7
8EDB488B5F280490102241B56F1A8A71EBEEF8E3
9F7B4004018229FAD8489B17F60AADB3281D6177
AA374FA424CC31D2E5EC8ECE2BA745C28CB4E1E8
CB818BE1FCE5393A83FBFCB3B6F4AC5A3B5B8A4B
DC72D464289102CAAF47EC318B6110ED6AF7E5E4
E50AD1A7A30A385A9D0A2C0A483D85D906EF4A9C
FAC3FB1C20F2A56887BDBA892E470700C76C81BA
http://www.cowp.or.kr/html/board/main.asp
http://www.erpmas.co.kr/Member/franchise_modify.asp
http://www.fored.or.kr/home/board/view.php
http://www.gongsinet.kr/comm/comm_gongsi.asp
http://www.goojoo.net/board/banner01.asp
http://www.ikrea.or.kr/main/main_board.asp
http://www.pcdesk.co.kr/Freeboard/mn_board.asp
http://www.pgak.net/service/engine/release.asp
http://www.style1.co.kr/main/view.asp
https://www.gncaf.or.kr/cafe/cafe_board.asp
https://www.hsbutton.co.kr/bbs/bbs_write.asp
https://www.hstudymall.co.kr/easypay/web/bottom.asp
https://www.quecue.kr/okproj/ex_join.asp
https://www.wowpress.co.kr/customer/refuse_05.asp
https://www.zndance.com/shop/post.asp