The Lazarus group leveraged a provide chain assault to focus on customers positioned in South Korea with customized malware.

On November 16, ESET disclosed that the Lazarus group carried out its provide chain assault by abusing WIZVERA VeraPort. This utility helps customers in South Korea handle the set up of extra laptop safety software program once they go to a authorities portal or banking web site that requires it.

Customers generally can’t entry a web site’s sources except they’ve WIZVERA VeraPort put in on their units.

Acknowledging that actuality, the Lazarus group crafted its assault to prey upon machines that had WIZVERA VeraPort put in.

They particularly used stolen code-signing certificates, together with one lifted from a U.S. department of a South Korean safety firm, to push out malware within the VeraPort software program bundle served by a legit however compromised web site.

Simplified scheme of the WIZVERA supply-chain assault carried out by the Lazarus group (Supply: ESET)

The attackers wasted no effort in making their malware payloads seem legit. As quoted by ESET in its analysis:

The attackers camouflaged the Lazarus malware samples as legit software program. These samples have related filenames, icons and VERSIONINFO sources as legit South Korean software program usually delivered through WIZVERA VeraPort. Binaries which are downloaded and executed through the WIZVERA VeraPort mechanism are saved in %Temp%[12_RANDOM_DIGITS].

The ultimate malware payload arrived with performance typical of a Distant Entry Trojan (RAT). The menace used these capabilities to focus on a sufferer’s filesystem in addition to to obtain and set up extra instruments utilized by the malicious actors.

ESET finally attributed the provision chain assault to the Lazarus group primarily based upon the community infrastructure and toolset that factored within the marketing campaign, the collection of South Korean targets as victims and different indicators.

Information of this assault arrived a number of months after safety researchers found a multi-platform malware framework referred to as “MATA” that the Lazarus group had used to focus on victims worldwide.