Lazarus malware has been tracked in new campaigns against South Korean supply chains, made possible through stolen security certificates.
On Monday, cybersecurity researchers from ESET revealed[1] the abuse of the certificates, stolen from two separate, legitimate South Korean companies.
Lazarus, also known as Hidden Cobra, is an umbrella term for select threat groups -- including offshoot entities -- suspected of being tied to North Korea. Thought to be responsible for Sony's infamous 2014 hack[2], Lazarus has also been connected to hacks using zero-day vulnerabilities[3], LinkedIn phishing messages[4], and the deployment of Trojans[5] in campaigns including Dacls and Trickbot.
See also: Lazarus group strikes cryptocurrency firm through LinkedIn job adverts[6]
In recent years, Lazarus has expanded its attack surface not only for the theft of sensitive data from corporations but also in order to compromise cryptocurrency organizations.
In this supply chain attack, the threat actors are using an "unusual supply chain mechanism," ESET says, in which Lazarus is abusing a standard requirement for South Korean internet users -- the need to install additional security software when they visit government or financial services websites.
Typically, users will be required to download WIZVERA VeraPort, a program used to manage software downloads that are necessary to visit particular domains. These updates may include browser plugins, standalone security software, or identity verification tools.
WIZVERA VeraPort digitally signs and cryptographically verifies downloads.
"[This] is why attackers can't easily modify the content of these configuration files or set up their own fake website," the researchers say. "However, the attackers can replace the software to be delivered to WIZVERA VeraPort users from a legitimate but compromised website. We believe this is the scenario the Lazarus attackers used."