A pair of cyberattacks launched by the Lazarus advanced persistent threat (APT) group may indicate an effort to “build supply chain attack capabilities,” according to Kaspersky researchers. The group behind the attacks targeted legitimate South Korean security software in June, as well as a company developing asset monitoring solutions in Latvia - an “atypical victim” for Lazarus - in May.
Researchers with Kaspersky, in their APT trends report for the third quarter of 2021, said the Lazarus group leveraged an updated version of the DeathNote malware, which is known to send data about the compromised host and fetch a next-stage payload, as well as the Racket downloader. Through these attacks, the group was able to execute a malicious payload to target a think tank in South Korea, said researchers.
“We observed that the infection chain at the think tank stemmed from this security software spawning Lazarus’ Racket downloader," said Ariel Jungheit and David Emm, senior security researchers for the Global Research and Analysis Team (GReAT) with Kaspersky. "This by itself doesn’t necessarily mean that a supply chain attack took place, but it does raise suspicion. The actor focused on a specific old version that might have had a vulnerability allowing Lazarus to leverage this software to infect their targets."
Upon further investigation, researchers observed the DeathNote malware cluster using a slightly updated variant of Blindingcan, a North Korean remote access trojan. The malware was previously highlighted by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) in 2020, which at the time said that it was being used to target government contractors to gather intelligence surrounding key military and energy technologies. The malware was also used to deliver a new variant of Copperhedge, also reported by CISA in 2020, which is a North Korean remote access tool used to target Windows systems.
“As part of the infection chain, Lazarus used a downloader named Racket that they signed using a stolen certificate,” said Kaspersky researchers. “As a result of taking over the attacker’s infrastructure with a local CERT, we had a chance to look into several C2 scripts associated with the DeathNote cluster. The actor compromised vulnerable web servers and uploaded several scripts to filter and control the malicious implants on successfully breached victim machines.”
"Supply chain attacks provide attackers with far-reaching access to a set of targets they can predict, many times with high privileges given the inherent trust put into the abused legitimate software."
Researchers said that the complex, multi-stage infection scheme used to deploy these malware families represented an update for the Lazarus group.
While these are executed in-memory only, the loader and the downloader pieces of the DeathNote cluster are present on disk and are constantly revised to evade detection," they said. "We also saw that the server-side scripts were updated, mainly in terms of the encryption used in communications.
Jungheit and Emm said the recent campaign suggests Lazarus is "working on building up their capacity to perform supply chain attacks." The North Korean threat group (also known as Hidden Cobra and APT38) has been active since 2009 and has in recent years been honing in on the cryptocurrency vertical to launch its attacks. However, this isn’t the first time the group has launched supply chain attacks. For instance, last year researchers with ESET found the APT launching an unusual supply chain attack to target South Korean users of the WIZVERA VeraPort software.
Jungheit and Emm said they believe that the massive impact of supply chain attacks - like the SolarWinds intrusion - has “caught the attention of other APT groups.”
“We saw an increase of supply chain attacks in 2021 of various sophistication levels,” they said. “Supply chain attacks provide attackers with far-reaching access to a set of targets they can predict, many times with high privileges given the inherent trust put into the abused legitimate software. This allows actors to ‘cut corners’ in the attack lifecycle, which also gives them better chances in preserving their anonymity.”
A separate supply chain incident this year, which researchers with Kaspersky refer to as SmudgeX due to its use of a PlugX backdoor, modified the installer package on a distribution server for an unnamed fingerprint scanner software, for instance. The software is used by government employees in an unnamed country in South Asia to support recording attendance, said researchers. The timeline of the attack appears to have been from March through June, and it has been linked to "an APT threat actor, suspected to be HoneyMyte," said Kaspersky researchers.
“The APT modified a configuration file and added a DLL with a .NET version of a PlugX injector to the installer package,” said Kaspersky researchers. “On installation, even without network connectivity, the .NET injector decrypts and injects a PlugX backdoor payload into a new svchost system process and attempts to beacon to a C2.”
Ben Read, director of cyberespionage analysis at Mandiant, said that for years APT groups have focused on both “pure software supply chain” attacks as well as supply chain attacks that rely on managed services providers. The latter type of attack was highlighted this week by an analysis from Microsoft of Nobelium, which was observed targeting at least 140 technology service providers in an ongoing campaign that started in May. A number of other threat groups have been involved with supply chain attacks over the years, including APT10 and APT41, Read said.
“Supply chain attacks go back decades, we’ve seen them from major groups,” he said. “The pure software supply chain attack, as seen with SolarWinds, is a widely used tactic because it is very effective. It’s fraught with the potential for discovery of an initial entry - if attackers can reach that initial entry point in one place they can then reach other victims.”