North Korea related Lazarus Group It has been observed to weaponize undisclosed software flaws and compromise South Korean financial entities twice within a year.
The initial attack in May 2022 used a vulnerable version of certificate software widely used by public institutions and universities, while a re-intrusion in October 2022 used the same program with a zero-day exploit. it was done.
Cybersecurity firm AhnLab Security Emergency Response Center (ASEC) refrains from mentioning the software due to the fact that “the vulnerability has not yet been fully verified and no software patch has been released.” said.
After gaining an initial foothold through unknown means, the hostile group exploited a zero-day bug to carry out lateral movement, shortly after disabling the AhnLab V3 anti-malware engine via a BYOVD attack.
It is worth noting here that the Bring Your Own Vulnerable Driver (aka BYOVD) technique has been repeatedly used by the Lazarus group in recent months, as documented in a series of reports by both ESET and AhnLab late last year. is that
Other steps to hide malicious behavior include renaming files before deletion and changing timestamps using an anti-forensic technique called timestamping.
This attack eventually paved the way for multiple backdoor payloads (Keys.dat and Settings.vwx). These payloads are designed to connect to remote command and control (C2) servers and retrieve additional binaries for fileless execution.
Discover the latest malware evasion tactics and defense strategies
Ready to smash the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!
reserve a seat
This development comes a week after ESET shed light on a new implant called WinorDLL64 that a notorious attacker deploys via a malware loader named Wslink.
“The Lazarus Group is investigating various other software vulnerabilities, changing the way security products are disabled, and implementing anti-forensic techniques that impede or delay detection and analysis to prevent the spread of attacks by South Korean institutions and companies.” We are constantly changing the TTP by changing the way we infiltrate it,” ASEC said.
