Hackers associated with the Lazarus group, which is suspected of being tied to North Korea, are now targeting South Korean supply chains, cybersecurity researchers from ESET said.
The attackers abused legitimate South Korean security software and digital certificates stolen from two different companies to deploy their malware.
The Lazarus Group’s activities were widely reported after it was blamed for the 2014 cyber attack on Sony Pictures Entertainment and the 2017 WannaCry ransomware attack on countries including the US and Britain.
Malware researchers Anton Cherepanov and Peter Kalnai wrote that the hackers are particularly interested in supply chain attacks, because they allow them to covertly deploy malware on many computers at the same time.
“We can predict that the number of supply-chain attacks will increase in the future, especially against companies whose services are popular in specific regions or in specific industry verticals,” the researchers wrote in a post detailing how ESET researchers discovered attempts to deploy Lazarus malware via a supply chain attack in South Korea.
The researchers explained that Internet users in South Korea are often asked to install additional security software when visiting government or Internet banking websites.
WIZVERA VeraPort is a South Korean application that helps manage such additional security software.
After installing this application on their devices, users receive and install all necessarily software required by a specific website with VeraPort.
The attackers abused this mechanism in order to deliver Lazarus malware from a legitimate but compromised website, according to the ESET researchers.
ESET Research has strong indications to attribute the attack to Lazarus, as it is a continuation of what KrCERT has called Operation BookCodes, attributed to Lazarus by some in the cybersecurity research community.
The other reasons are typical toolset characteristics; detection (many tools are already flagged as NukeSped by ESET); the fact that the attack took place in South Korea, where Lazarus is known to operate; the unusual and custom nature of the intrusion and encryption methods used; and the setup of network infrastructure.