Lazarus Group steps up its game in South Korean Financial Institution Hack – CryptoMode
The Lazarus Group, a North Korea-linked cyber threat group, has been found to have exploited vulnerabilities in undisclosed software to breach a South Korean financial entity twice within a year.
The first attack, which occurred in May 2022, involved the use of a vulnerable version of a certificate software widely used by public institutions and universities. The second attack, in October 2022, used a zero-day vulnerability in the same software.
Cyber security firm AhnLab Security Emergency Response Center (ASEC) has declined to disclose further details. Besides, they quote that the vulnerability has not been fully verified and no software update has been released.
The Lazarus group gained access with an unknown method, and then used a zero-day vulnerability to move laterally. In addition, the group disabled the AhnLab V3 anti-malware engine via a BYOVD attack, a technique it has used in recent months. The group also used other methods to hide its activities, including filename changes, timestamping, and anti-forensic techniques.
The attack allowed the group to deliver several backdoor payloads, including Keys.dat and Settings.vwx. These files are designed to connect to a remote command and control server and retrieve multiple binaries. Such binaries can then be run in a fileless manner.
Last week, cybersecurity firm ESET reported a new implant called WinorDLL64. The threat is distributed by the Lazarus Group using a malware loader called Wslink. ASEC warned that the Lazarus Group continues to research vulnerabilities in various software. The group is constantly changing tactics to avoid detection and infiltrate Korean institutions and companies.
The use of advanced and ever-evolving techniques by cyber threat groups highlights the need for continued vigilance and proactive cyber security measures by organizations worldwide.
The Lazarus Group has also been involved in various cryptocurrency-related hacks and thefts. The Ronin Bridge incident is attributed to this collective, among others. In addition, the unit often launders its stolen proceeds through mixers and tumblers to mask its tracks.
None of the information on this website is investment or financial advice and does not necessarily reflect the views of CryptoMode or the author. CryptoMode is not responsible for any financial losses incurred by acting on information provided on this website by its authors or customers. Always do your research before making any financial commitments, especially with third-party reviews, pre-sales and other opportunities.