Lazarus Team, the advanced persistent threat (APT) team attributed to the North Korean govt, has been noticed waging two different offer chain assault campaigns as a usually means to gain a foothold into company networks and concentrate on a vast selection of downstream entities.
The most recent intelligence-gathering operation involved the use of MATA malware framework as well as backdoors dubbed BLINDINGCAN and COPPERHEDGE to attack the defense business, an IT asset monitoring resolution vendor centered in Latvia, and a feel tank situated in South Korea, according to a new Q3 2021 APT Developments report revealed by Kaspersky.
In a single occasion, the supply-chain attack originated from an an infection chain that stemmed from authentic South Korean stability program functioning a destructive payload, primary to the deployment of the BLINDINGCAN and COPPERHEDGE malware on the imagine tank’s network in June 2021. The other attack on the Latvian business in May possibly is an “atypical target” for Lazarus, the scientists explained.
It can be not obvious if Lazarus tampered with the IT vendor’s program to distribute the implants or if the group abused the access to the company’s network to breach other buyers. The Russian cybersecurity organization is tracking the marketing campaign under the DeathNote cluster.
Which is not all. In what seems to be a distinct cyber-espionage marketing campaign, the adversary has also been noticed leveraging the multi-platform MATA malware framework to conduct an array of destructive activities on contaminated machines. “The actor shipped a Trojanized version of an software recognized to be utilised by their target of alternative, representing a known characteristic of Lazarus,” the researchers mentioned.
In accordance to prior results by Kaspersky, the MATA campaign is able of placing Home windows, Linux, and macOS operating techniques, with the assault infrastructure enabling the adversary to have out a multi-staged infection chain that culminates in the loading of extra plugins, which make it possible for obtain to a prosperity of information and facts which include files saved on the product, extract delicate database info as nicely as inject arbitrary DLLs.
Further than Lazarus, a Chinese-talking APT risk actor, suspected to be HoneyMyte, was discovered adopting the very same tactic, whereby a fingerprint scanner software package installer offer was modified to install the PlugX backdoor on a distribution server belonging to a govt company in an unnamed place in South Asia. Kaspersky referred to the offer-chain incident as “SmudgeX.”
The development comes as cyber attacks aimed at the IT offer chain have emerged as a best worry in the wake of the 2020 SolarWinds intrusion, highlighting the want to adopt stringent account safety tactics and just take preventive measures to defend business environments.