To avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend regularly updating your operating system, applications, and antivirus software to patch any known vulnerabilities.
A new campaign by the infamous Lazarus group targeting organizations worldwide has been uncovered by Kaspersky’s Research and Analysis Team (GReAT). The research presented at Security Analyst Summit (SAS) revealed a sophisticated APT campaign distributed via malware and spread through legitimate software.
The GReAT team discovered a sequence of cyber incidents in which targets were compromised through the exploitation of legitimate software meant for encrypting web communication via digital certificates. Even after vulnerabilities had been reported and fixed, organizations across the globe continued to utilize the flawed software version, inadvertently offering an entry point for the well-known Lazarus group.
The adversary exhibited a high level of sophistication, employing advanced evasion techniques and deploying a “SIGNBT” malware to control the victim. They also applied the already well-known LPEClient tool, previously seen targeting defense contractors, nuclear engineers and the cryptocurrency sector. This malware acts as the initial point of infection and plays a crucial role in profiling the victim and delivering the payload. Kaspersky researchers’ observations indicate that LPEClient’s role in this and other attacks aligns with the tactics employed by the Lazarus group, as also seen in the notorious 3CX supply chain attack.
“The Lazarus group’s continued activity is a testament to their advanced capabilities and unwavering motivation. They operate on a global scale, targeting a wide range of industries with a diverse toolkit of methods. This signifies an ongoing and evolving threat that demands heightened vigilance,” said Seongsu Park, Lead Security Researcher, Kaspersky’s Global Research and Analysis Team.
Further investigation revealed that the Lazarus malware had already targeted the initial victim, a software vendor, several times before. This pattern of recurring attacks indicates a determined and focused adversary, likely with an intention is to steal critical source code or disrupt the software supply chain.
