Lazarus Abused an Unknown Software To Breach a Financial South Korea Organization

Category: Threat Actor Activity | Industry: Financial Services | Level: Tactical | Source: ASEC

North Korea-linked hacking group Lazarus abused an undisclosed software twice in 2022, to compromise a South Korean financial institution. The first attack was identified in May 2022, and exploited a vulnerability in a certificate software commonly used by public institutions and academic universities. While the breached institution updated its software library to the latest version, a re-infiltration occurred in October 2022, abusing a zero-day exploit in the same program. A report by AhnLab Security Emergency Response Center (ASEC) did not disclose the software in question as the associated company has yet to release to software patch. The second attack commenced on October 21st, 2022, with the initial access vector unknown; it is possible the threat actors resumed control of the compromised network through an open backdoor. ASEC observed the zero-day was leveraged to initiate lateral movement between internal systems with the vulnerable software installed. From there the operators proceeded to disable security monitoring from AhnLab V3 anti-malware engine and leveraged a bring your own vulnerable driver (BYOVD) attack. This attack ultimately led to the installation of several backdoor payloads (Keys.dat and Settings.vwx) to establish a connection with a remote command-and-control (C2) server.

Anvilogic Scenario:

• Injected Process Stops Services & Runs Driver

Anvilogic Use Cases:

• Rare Remote Thread
• Modify Registry Key
• Driver as Command Parameter

‍