Lazarus Group misuses South Korean legitimate software
The hackers took advantage of the requirement that Internet users in South Korea must install certain security solutions.
Cybersecurity researchers have documented a new malware campaign targeting South Korea's supply chain. Criminals abuse legitimate security software and steal digital certificates to distribute remote access tools to targeted systems.
According to experts from ESET, the operations are the work of the Lazarus Group (also known as the Hidden Cobra). The cybercriminals took advantage of the mandatory requirement that Internet users in South Korea must install additional security solutions in order to use Internet banking and government services.
The attacks use the Wizvera VeraPort software, which is designed to integrate and manage installation programs related to Internet banking, such as digital certificates issued by banks to individuals and legal entities to protect all transactions and payments.
In addition to using security software installation techniques to distribute malware from a legitimate but compromised website, the attackers also used illegally obtained code signing certificates to sign malware samples, one of which was issued by the American branch of the South Korean security company Dream Security Korea.
“The attackers disguised the Lazarus malware samples as legitimate software. The malware has the same file names, icons and resources as the South Korean software, ”the experts noted.
binary file is downloaded by the malware installer, it extracts two
more components, one of which is injected into the Windows process
(“svchost.exe”). The final stage payload acts as a RAT and is equipped
with commands that allow the malware to perform operations on the
victim's filesystem, as well as load and run auxiliary tools from the