A new malicious campaign by the notorious Lazarus Group has been observed leveraging malware distributed through legitimate software.
Kaspersky’s Research and Analysis Team (GReAT) unveiled the cyber campaign at the Security Analyst Summit (SAS). The team’s investigation identified a series of cyber incidents where targets were infected through legitimate software designed to encrypt web communications using digital certificates.
Despite patches being available for vulnerabilities, organizations worldwide continued to use the unnamed flawed software, inadvertently providing an entry point for the Lazarus group.
The group showed a high level of sophistication, using advanced evasion techniques and deploying “SIGNBT” malware to control victim machines. They also deployed the LPEClient tool, previously observed targeting defense contractors, nuclear engineers and the cryptocurrency sector.
The researchers’ findings suggest that the Lazarus group’s tactics in this campaign align with those seen in the notorious 3CX supply chain attack.
Read more on the attack: Two Connected Software Supply Chain Attacks Lead to 3CX Compromise
The investigation also revealed that the initial victim, a software vendor, had been targeted multiple times, indicating a determined and focused adversary. This persistence implies an intent to steal critical source code or disrupt the software supply chain.
Kaspersky’s Endpoint Security solution reportedly identified and stopped further attacks against other targets.
“The Lazarus group’s continued activity is a testament to their advanced capabilities and unwavering motivation,” said Seongsu Park, lead security researcher at Kaspersky's GReAT. “They operate on a global scale, targeting a wide range of industries with a diverse toolkit of methods. This signifies an ongoing and evolving threat that demands heightened vigilance.”
In response to these findings, Kaspersky recommended several measures to mitigate the risk of targeted attacks. These include keeping software and security measures up to date, verifying the identity of senders in communications, providing security teams with the latest threat intelligence, upskilling cybersecurity personnel with online training, and implementing endpoint detection and response solutions.