ESET: Attackers Used Hijacked Software to Target South Korean Organizations
North Korean hackers are suspected of carrying out a novel-supply chain attack that targeted businesses, including financial firms, in South Korea using stolen digital certificates, according to researchers with security firm ESET.
See Also: Ignite ’20: A Conference Preview
An analysis of the tools used during this attack and some of the targets selected have led ESET to attribute this campaign to the North Korean Lazarus Group, which is also called Hidden Cobra by the U.S. government agencies that track its activities (see: Defense Contractor Hacking More Expansive Than First Thought).
In this latest campaign, it appears the hackers used illegally obtained or stolen code-signing certificates to sign the malware samples used as part of the attack. In at least one case, the stolen certificate appears to have come from the U.S. branch of a South Korean security company, according to the report.
“Attackers are particularly interested in supply-chain attacks because they allow them to covertly deploy malware on many computers at the same time,” according to the ESET report released Monday.
While this is a unique approach to targeting victims, the ESET report notes these types of hacking campaigns are difficult to pull off, which they believe means the campaign itself was likely limited.
“A successful malware deployment using this method requires a number of preconditions; that’s why it was used in limited Lazarus campaigns,” Anton Cherepanov and Peter Kálnai, threat researchers with ESET, note in the report.
In the campaign that ESET uncovered, the hackers targeted Wizvera VeraPort security software, which is used by many South Korean government agencies, as well as some banking firms, for their websites and creates a secure browser plug-in that helps verify the identity of the user, according to the report.
In South Korea, users are typically required to download and install additional security software when visiting government or banking sites, and the Wizvera VeraPort is one of the tools available, according to the report.
In the first part of the campaign, Lazarus attempts to corrupt a site that uses the Wizvera software by either sending a phishing email or using some other means that allow files to install malicious binaries, the researchers note.
Once those binaries are installed, the stolen certificates are then used to make the Lazarus malware appear legitimate to anyone attempting to download it, according to the report.
“The attackers camouflaged the Lazarus malware samples as legitimate software,” Cherepanov and Kálnai note in the report. “These samples have similar filenames, icons and version info resources as legitimate South Korean software often delivered via Wizvera VeraPort.”
The report stresses, however, that these attacks are aimed at only websites that use Wizvera VeraPort and not the software company itself, according to the report.
“Once downloaded, they are verified using a strong cryptographic algorithm (RSA), which is why attackers can’t easily modify the content of these configuration files or set up their fake website,” according to the report. “However, the attackers can replace the software to be delivered to Wizver VeraPort users from a legitimate but compromised website. We believe this is the scenario the Lazarus attackers used.”
Difficulties of Attack
The ESET report notes that the complexity of this attack, from stealing the certificates to getting the potential victim to visit a compromised site, makes these types of campaigns limited in scope.
The attack also requires that the potential victim must already have the Wizvera Veraport software installed on a device and would need to be lured to visit a compromised site that contains the malware.
If all these steps take place, however, a dropper is installed on the victim’s device, which then connects to a command-and-control server controlled by the hackers. A remote access Trojan, or RAT, is then installed, which can act as a backdoor or exfiltrate data, according to the report.
“It’s the combination of compromised websites with Wizvera VeraPort support and specific VeraPort configuration options that allow attackers to perform this attack,” according to the ESET researchers.
Lazarus or Hidden Cobra is suspected of carrying out a series of high-profile attacks, including the Sony Pictures hack of 2014 as well as the WannaCry ransomware attacks of 2017 (see: US Offers $5 Million Reward for N. Korea Hacker Information).
Since those attacks, U.S. government agencies such as the FBI have issued regular warnings about North Korea-sponsored hackers and have published data on nearly 30 malware variants associated with hacking groups suspected of working with the regime (see: Group Behind WannaCry Now Using New Malware).