Cyber security researchers have claimed responsibility for a recent attack on South Korea’s supply chain, misusing legitimate security software and stealing digital certificates to distribute remote management tools (RATs) to target systems.
Attributing the operation to the Lazarus group, also known as Hidden Cobra, the Slovak Internet security company ESET said that a government-sponsored threat player is a mandatory requirement that the country’s Internet users must install additional security software to use Internet banking and basic government services.
Although limited in scope, the attack uses WIZVERA VeraPort, a program for the integration and management of installation programs related to online banking, such as digital certificates issued by banks to natural and legal persons, to ensure the security of all transactions and the processing of payments.
This event is the most recent in the long history of espionage attacks on victims in South Korea, including Operation Trojan, DDoS attacks in 2011 and attacks on banking institutions and crypto money changers over the past decade.
In addition to using the above technique to install security software to spread malware from a legitimate but compromised website, attackers have illegally obtained certificates for signing malware samples, one of which was issued to a branch of a South Korean security company called Dream Security USA.
The attackers have samples of Lazarus malware disguised as legitimate software. These samples have filenames, symbols and sources similar to those of legitimate South Korean software, said Peter Kálnai, a researcher at ESET. It is the combination of compromised websites with WIZVERA VeraPort support and special VeraPort configuration options that allows attackers to carry out this attack.
The ESET researchers claim that the attacks targeted websites using VeraPort – which also contains a simple 64 code XML configuration file with a list of software to be installed and associated download URLs – and said that opponents replaced the software to be delivered to VeraPort users with hacking a legitimate website with malicious executables who were then signed with illegally obtained certificates for signing codes to deliver the cargo.
WIZVERA VeraPort configurations include an option to verify the digital signature of downloaded binaries before execution, and in most cases this option is enabled by default, according to the researchers. However, VeraPort only checks the validity of the digital signature without checking who it belongs to.
The binary then downloads the malicious dropper, which pulls out two additional components – the Loader and the loader – the latter being loaded by the Loader into one of the Windows processes (svchost.exe). In the final stage of the upload, the loader receives a RAT, which contains commands to run the malware on the victim’s file system and to download and run utilities from the attacker’s arsenal.
Moreover, this campaign appears to be a continuation of another Lazarus attack called Operation BookCodes, which was described in detail by the Korean Internet and Security Agency at the beginning of April this year, with significant overlaps in the TTP and command and control infrastructure (C2).
Attackers are particularly interested in supply chain attacks because they can secretly spread malware to many computers simultaneously, the researchers concluded.
Owners of [VeraPort enabled sites] can reduce the likelihood of such attacks, even if their sites are compromised, by enabling special options (such as specifying hashes for executable files in the VeraPort configuration).