APT Lazarus Group: From Finance to Vaccine Secrets

December 30, 2020
apt lazarus group north korea vaccine Pharmaceutical Industries

Vaccine race and espionage in this era are like twins, but the other one is evil because it comes with the intent to steal to get ahead of the race. Legitimate pharmaceutical companies and the whole medical industry are pouring in all the hard work through thorough research to develop a working vaccine that is safe and efficient at the same time. It cannot be helped that some countries and companies(who employ hackers) still see vaccine development as a race that will forgive the ends to any means for the sake of developing a vaccine while disrespecting intellectual property rights.

Lazarus Group is known industry hackers with a reputation who manages to break into financial institutions for profit. It is also a known thing that they are related to the North Korean government for their alleged state-sponsored activities to provide intel for North Korean’s whims. Until now, they still run rampant, causing new havoc, but this time around against the pharmaceutical industry during this worldwide pandemic, thanks to COVID-19.


Why Lazarus targeted Pharmaceutical Industries?

Why suddenly target the pharmaceutical industries and health-related institutions? It seems that the race to create a vaccine is an opportunity to steal data about its creation in unlocking trade secrets that will surely benefit the recipient of the data. The motivation could be anywhere from state-sponsored attacks or self-initiated activities to sell data to the highest bidder. But alas, Kaspersky researchers discovered that the goal of such attacks is intellectual-property theft to advance and speed up their host country’s vaccine-development efforts.


Recent Lazarus Group Hacking victims

Kaspersky mentioned by the end of September the Lazarus Group attacked a pharmaceutical company while investigating they found out that the notorious hacking group also attacked the ministry of health related to the COVID-19 response. Methods utilized to hack the separate entities were unique. However, Kaspersky noticed with glaring evidence that the attacks were both associated with the same adversary.


Malware Analysis: Utilizing the wAgent

The infected machines were servers from the Ministry of Health, where the infection vector is yet unknown. However, it remained undetected during the infection stage due to the fake metadata used to make it appear like a clean compression utility XZ Utils. The malware was executed on the infected server from a command-line shell. Afterwards, a decryption process takes place through a Windows DLL which is loaded in memory.

Finally, wAgent retrieves an in-memory Windows DLL containing backdoor functionalities, which the adversaries took advantage to extract victim information through shell commands.


Malware Analysis: Bookcode

The Bookcode malware cluster was utilized in hacking the servers in the pharmaceutical company. However, the infection vector or initial access remains uncertain. One possibility was through a supply-chain gambit. However, there were also traces in the past that the adversaries used spear-phishing techniques to infect machines with Bookcode malware.

This malware relies on a configuration file and connects with its command and control (C2). Once successful it gains the standard backdoor functionalities and forwards information to the hacker including password hashes.


Companies must approach the threat in multiple angles. One of these is deploying email security software for the workplace because it can help filter emails flagged for inauthentic behaviour and invalid signatures. Another is an enterprise-level anti-malware solution. Obviously, the infection happens through malware, any registered signatures of malware are automatically obliterated and cleansed by anti-malware software. This one is important; well-informed employees against social engineering, people such as employees and users In the workplace, can either be your best defence or your greatest vulnerability. Companies must always keep in mind that the workforce’s people play a role in security. To improve this aspect, we must provide regular updates, reminders and training to counter social engineering. Security over the internet intelligence team can be in charge of proactively scanning the internet for threats that use social media, apps, websites, phone numbers and emails utilized for spear-phishing campaigns that target the people aspect of security.  Hiring such security adds a layer of protection that may protect your brand and business against adversaries that abuses your brand to distribute their malicious activities. These brand abuse may also lead to a data leak, and worse an infection vector if it goes unchecked.

About the author

Leave a Reply