Specific configuration options of a security application, coupled with compromised websites, led to an exploit that passed malware code as safe.
Through investigations of a recent supply-chain attack in South Korea, cybersecurity researchers have observed that Lazarus malware now attempts to deploy an unusual mechanism.
In order to deliver malware, the attackers abused legitimate South Korean security software and digital certificates stolen from two different companies.
The attack was made easier for Lazarus since South Korean internet users are often asked to install additional security software when visiting government or internet banking websites.
Additionally, the attackers used illegally obtained code-signing certificates in order to sign the malware samples. These samples have similar file names, icons and resources as legitimate South Korean software. Interestingly, one of these certificates was issued to the US branch of a South Korean security company.
WIZVERA Veraport’s role
Explained Anton Cherepanov, a researcher at ESET who led an investigation into the attack: “To understand this novel supply-chain attack, you should be aware that WIZVERA VeraPort, referred to as an ‘integration installation program’, is a South Korean application that helps manage such additional security software. When WIZVERA VeraPort is installed, users receive and install all necessary software required by a specific website. Minimal user interaction is required to start such software installation.”
Usually this software is used by government and banking websites in South Korea. For some of these websites it is mandatory to have WIZVERA VeraPort installed, Cherepanov added. His team mate Peter Kálnai added: “It’s the combination of compromised websites with WIZVERA VeraPort support and specific VeraPort configuration options that allows attackers to perform this attack.”
Operation BookCodes
ESET researchers have strong reasons to attribute the attack to Lazarus, as it is a continuation of what KrCERT has called Operation BookCodes, attributed to Lazarus by some in the cybersecurity research community.
The other reasons are: typical toolset characteristics; detection (many tools are already flagged as NukeSped by ESET); the fact that the attack took place in South Korea, where Lazarus is known to operate; the unusual and custom nature of the intrusion and encryption methods used; and the setup of network infrastructure.
It must be noted that the Lazarus toolset is extremely broad, and researchers believe there are numerous subgroups. Unlike toolsets used by some other cybercriminal groups, none of the source code of any Lazarus tools has ever been disclosed in a public leak.