The North Korean state-sponsored cybercriminal organisation, Lazarus Group, has exploited a critical vulnerability in an unnamed software to breach a South Korean financial business entity. Based on reports, the group has already executed two cybersecurity attacks on the same commodity in the past six months.
The first attack occurred in May last year when the hackers leveraged a vulnerable version of a certificate software that has been the go-to tool for many public institutions and universities in South Korea. However, the actors have reinfiltrated the entity using the same exploitation of the zero-day flaw.
Cybersecurity groups have yet to release more details regarding the exploit since no one has verified the vulnerability. Moreover, the software admins have yet to release the fix for the flaw.
The Lazarus group used the BYOVD tactic to disable the impacted entity’s anti-malware engine.
According to investigations, the Lazarus group abused the zero-day vulnerability to move laterally in its targeted system. Subsequently, the group disabled its target’s anti-malware solution via a BYOVD attack.
Researchers noted that the threat actors repeatedly used the BYOVD technique for the past few months since multiple researchers collected samples of its campaigns in different operations.
The Lazarus operators have also used different strategies to obfuscate its malicious behaviour, like changing file names before removing them from the systems and modifying timestamps. Experts explained that the group could alter timestamps using an anti-forensic technique called timestomping.
Hence, the strategy allowed the hackers to add multiple backdoor payloads that could connect to an attacker-controlled command-and-control server, recover more binaries, and run them in a fileless method.
Lazarus immediately improved their execution after cybersecurity revealed new details regarding its WindorDLL64 backdoor through a malware loader. Cybersecurity experts warn organisations and software vendors that the Lazarus group is constantly searching for and studying vulnerabilities in every software product.
These actors use their research to modify their TTPs by altering how they could deactivate products and execute anti-forensic technologies. These North Korean threat groups constantly change their attack methods to thwart analysis from researchers and breach different South Korean firms and institutions.
