Kaspersky Reveals New Cyber Attacks In Lazarus Group Targeting South Korean Organizations

Lazarus group attacks (photo: Kaspersky)

JAKARTA - Kaspersky's GReAT team uncovered a new Lazarus campaign, which combines watering holes attacks with the exploitation of vulnerabilities in third-party software.

According to its analysis, the attackers targeted at least six organizations across the software, IT, finance, semiconductor and telecommunications sectors in South Korea.

In the watering hole attack, the threat perpetrator filtered in traffic to identify targeted individuals, selectively directing the target to the attacker-controlled website.

This site is a place where a series of technical actions start a chain of attacks. The method highlights the nature of highly targeted and strategic group operations.

The Lazarus Group is an active threat group since at least 2009. In recent operations, the group was seen exploiting a one-day vulnerability in the Innorix Agent, a third-party tool integrated with the browser used for secure file transfer in administrative and financial systems.

By exploiting this vulnerability, attackers can facilitate lateral movement, which allows the installation of additional malware on targeted hosts.

This ultimately led to the spread of Lazarus' signed malware, which is part of a larger chain of attack, which was sent via the Agamemnon downloader, and specifically targeted the vulnerable version of Innorix (9.2,18,496).

While analyzing malware behavior, GReAT Kaspersky experts discovered a zero-day vulnerability to downloading additional random files, which they managed to find before any threat actors used them in their attacks.

Kaspersky has reported the problem at the Innorix Agent to the Korea Internet & Security Agency (KrCERT) and vendors. The software has been updated with a patched version.

"Proactive approach to cybersecurity is critical. Early detection of the threat is key to preventing broader compromise across the system," said Sojun Ryu, security researcher at the Kaspersky GREAT (Global Research and Analysis Team).