Lazarus Attackers Turn to the IT Supply Chain

Kaspersky researchers saw The North Korean state APT use a new variant of the BlindingCan RAT to breach a Latvian IT vendor and then a South Korean think tank.

Lazarus – a North Korean advanced persistent threat (APT) group – is working on launching cyberespionage-focused attacks on supply chains with its multi-platform MATA framework.

The MATA malware framework can target three operating systems: Windows, Linux and macOS. MATA has historically been used to steal customer databases and to spread ransomware in various industries, but in June, Kaspersky researchers tracked Lazarus using MATA for cyber-espionage.

“The actor delivered a Trojanized version of an application known to be used by their victim of choice – a well-known Lazarus characteristic,” they wrote in Kaspersky’s latest quarterly threat intelligence report, released on Tuesday.

Infosec Insiders Newsletter

This is hardly the first time that Lazarus has attacked the defense industry, Kaspersky noted, pointing to the similar, mid-2020 ThreatNeedle campaign.

Lazarus Ramps Up Supply-Chain Attacks

Researchers have also seen Lazarus building supply-chain attack capabilities with an updated DeathNote (aka Operation Dream Job) malware cluster that consists of a slightly updated variant of the North Korean remote-access trojan (RAT) known as BlindingCan.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) sent out an alert about BlindingCan in August 2020, warning that Hidden Cobra – another name for Lazarus that’s used by the U.S. in general to refer to malicious cyber activity by the North Korean government – was using BlindingCan to siphon intelligence out of military and energy outfits.

The researchers have also discovered campaigns targeting a South Korean think tank – with an infection chain that included legitimate South Korean security software that was carrying a malicious payload – and a Latvian IT asset-monitoring tool vendor.

Lazarus Has A Taste for Infiltrating the Military

Researchers consider Lazarus, which has been active since at least 2009, to be one of the world’s most active threat actors. “This APT group has been behind large-scale cyber-espionage and ransomware campaigns and has been spotted attacking the defense industry and cryptocurrency markets,” Kaspersky researchers noted. “With a variety of advanced tools at their disposal, they appear to be applying them to new goals.”

Lazarus’ attacks against the military include a campaign discovered in July, in which the APT was spreading malicious documents to job-seeking engineers by impersonating defense contractors seeking job candidates.

Before that, in February, researchers linked a 2020 spear phishing campaign to the APT that aimed at stealing critical data from defense companies by leveraging an advanced malware called ThreatNeedle.

What a Racket

As part of the infection chain against the Latvian asset-monitoring tool vendor, Lazarus used a downloader named Racket that the threat actors signed with a stolen certificate. “The actor compromised vulnerable web servers and uploaded several scripts to filter and control the malicious implants on successfully breached machines,” Kaspersky said in the summary of its quarterly report, which can be seen in full on SecureList.

Ariel Jungheit, senior security researcher for Kaspersky’s Global Research and Analysis Team (GReAT), said in the summary that the recent discoveries show that Lazarus is still keen on infiltrating the defense industry, but it’s also looking to expand into supply-chain attacks.

“When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization – something we saw clearly with the SolarWinds attack last year,” Jungheit said, referring to the wave of supply-chain intrusions known as SolarWinds, kicked off by the Nobelium APT late last year.

“With threat actors investing in such capabilities, we need to stay vigilant and focus defense efforts on that front,” Jungheit cautioned.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles