Security News > 2020 > November > Trojanized Security Software Hits South Korea Users in Supply-Chain Attack
Cybersecurity researchers took the wraps off a novel supply chain attack in South Korea that abuses legitimate security software and stolen digital certificates to distribute remote administration tools on target systems.
Attributing the operation to the Lazarus Group, also known as Hidden Cobra, Slovak internet security company ESET said the state-sponsored threat actor leveraged the mandatory requirement that internet users in the country must install additional security software in order to avail Internet banking and essential government services.
Aside from using the aforementioned technique of installing security software in order to deliver the malware from a legitimate but compromised website, the attackers used illegally obtained code-signing certificates in order to sign the malware samples, one of which was issued to the US branch of a South Korean security company named Dream Security USA. "The attackers camouflaged the Lazarus malware samples as legitimate software. These samples have similar file names, icons and resources as legitimate South Korean software," ESET researcher Peter Kálnai said.
Stating that the attacks target websites that use VeraPort - which also comes with a base64-encoded XML configuration file containing a list of software to install and their associated download URLs - ESET researchers said the adversaries replaced the software to be delivered to VeraPort users by compromising a legitimate website with malicious binaries that were then signed with illicitly acquired code-signing certificates to deliver the payloads.
What's more, the campaign appears to be what's a continuation of another Lazarus-mounted attack called Operation BookCodes detailed by the Korea Internet & Security Agency earlier this April, with significant overlaps in TTPs and command-and-control infrastructure.
News URL
Related news
- Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks (source)
- WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks (source)
- Supply Chain Attacks Can Exploit Entry Points in Python, npm, and Open-Source Ecosystems (source)
- EDRSilencer red team tool used in attacks to bypass security (source)
- ISC2 Security Congress 2024: The Landscape of Nation-State Cyber Attacks (source)
- LottieFiles hit in npm supply chain attack targeting users' crypto (source)
- LottieFiles hacked in supply chain attack to steal users’ crypto (source)
- LottieFiles supply chain attack exposes users to malicious crypto wallet drainer (source)
- Stop LUCR-3 Attacks: Learn Key Identity Security Tactics in This Expert Webinar (source)
- South Korea Fines Meta $15.67M for Illegally Sharing Sensitive User Data with Advertisers (source)