The North Korean Lazarus hacking group has carried out a series of persistent breaches on a software vendor, repeatedly exploiting vulnerabilities in the vendor’s software. The attacks, which Kaspersky discovered in July 2023, targeted a software vendor and continued between March and August 2023.
Furthermore, this breach highlights Lazarus’s unwavering commitment to their likely objectives of stealing valuable source code and tampering with the software supply chain. These attacks involved the use of SIGNBT malware and a sophisticated infection chain, underscoring the group’s determination and sophisticated tactics.
The report reveals that Lazarus focused on exploiting vulnerabilities in security software used for web communications encryption. Although the exact exploitation method remains unknown, the attacks resulted in the deployment of SIGNBT malware and the injection of shellcode into memory to ensure stealthy execution. Persistence was established by adding a malicious DLL to startup or through Windows Registry modifications, allowing the malware to decrypt and load the SIGNBT payload from a local filesystem path. SIGNBT received its name from the distinct strings it uses for command and control (C2) communications, enabling the exchange of information about the compromised system and executing commands.
The SIGNBT malware supports various commands, such as system information gathering, process management, file system operations, and more. The malware can also fetch additional payloads from the C2, granting Lazarus operational versatility.
Additionally, Lazarus leveraged SIGNBT to load credential dumping tools and the LPEClient malware on compromised systems. LPEClient serves as an info-stealer and loader, demonstrating significant evolution compared to earlier versions and using advanced techniques to improve stealth and avoid detection. These actions by the Lazarus group emphasize the need for organizations to proactively patch software and prevent vulnerabilities’ exploitation.