Security News > 2022 > April > North Korea's Lazarus cyber-gang caught 'spying' on chemical sector companies

North Korea's Lazarus cybercrime gang is now breaking into chemical sector companies' networks to spy on them, according to Symantec's threat intel team.

Fresh evidence has been found linking a recent espionage campaign against South Korean targets to file hashes, file names, and tools previously used by Lazarus, according to Symantec.

Symantec's threat hunting team says Lazarus' more-recent focus on chemical companies began in January, when the security firm detected network activity on "a number of organizations based in South Korea."

"The DLL file gets injected into INISAFE Web EX Client, which is legitimate system management software. The scskapplink.dll file is typically a signed Trojanized tool with malicious exports added," the Symantec threat hunters said, adding that the crime gang has used the following developer signatures: DOCTER USA, INC and "A" MEDICAL OFFICE, PLLC. The injected malicious code downloads and executes a backdoor payload from a command-and-control server that Symantec said uses the URL parameter key/values "Prd fld=racket." At this point, the malware repeatedly connects to the C2 server to execute shellcode and download additional malware to run.

Cpl, which Symantec said was likely to collect the dumped system hives.

Meanwhile Washington is also pursuing a UN Security Council resolution that would freeze Lazarus' assets and be a direct blow to the North Korean government's coffers.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/04/15/lazarus_chemical_korea/