Lazarus Group, the superior persistent risk (APT) group attributed to the North Korean authorities, has been noticed waging two separate provide chain assault campaigns as a method to realize a foothold into company networks and goal a variety of downstream entities.
The most recent intelligence-gathering operation concerned the usage of MATA malware framework in addition to backdoors dubbed BLINDINGCAN and COPPERHEDGE to assault the protection business, an IT asset monitoring answer vendor based mostly in Latvia, and a suppose tank positioned in South Korea, based on a brand new Q3 2021 APT Trends report printed by Kaspersky.
In a single occasion, the supply-chain assault originated from an an infection chain that stemmed from reliable South Korean safety software program working a malicious payload, resulting in the deployment of the BLINDINGCAN and COPPERHEDGE malware on the suppose tank’s community in June 2021. The opposite assault on the Latvian firm in Could is an “atypical sufferer” for Lazarus, the researchers stated.
It is not clear if Lazarus tampered with the IT vendor’s software program to distribute the implants or if the group abused the entry to the corporate’s community to breach different prospects. The Russian cybersecurity agency is monitoring the marketing campaign below the DeathNote cluster.
That is not all. In what seems to be a unique cyber-espionage marketing campaign, the adversary has additionally been noticed leveraging the multi-platform MATA malware framework to carry out an array of malicious actions on contaminated machines. “The actor delivered a Trojanized model of an utility identified for use by their sufferer of selection, representing a identified attribute of Lazarus,” the researchers famous.
In accordance with previous findings by Kaspersky, the MATA marketing campaign is able to putting Home windows, Linux, and macOS working programs, with the assault infrastructure enabling the adversary to hold out a multi-staged an infection chain that culminates within the loading of extra plugins, which permit entry to a wealth of data together with information saved on the machine, extract delicate database data in addition to inject arbitrary DLLs.
Past Lazarus, a Chinese language-speaking APT risk actor, suspected to be HoneyMyte, was discovered adopting the identical tactic, whereby a fingerprint scanner software program installer package deal was modified to put in the PlugX backdoor on a distribution server belonging to a authorities company in an unnamed nation in South Asia. Kaspersky referred to the supply-chain incident as “SmudgeX.”
The event comes as cyber attacks aimed on the IT provide chain have emerged as a high concern within the wake of the 2020 SolarWinds intrusion, highlighting the necessity to undertake strict account safety practices and take preventive measures to guard enterprise environments.