By infiltrating vendors and poisoning their software products, the group has been able to breach firms with poor software patching hygiene.
Cybercriminals have recently been observed by researchers to weaponize a specific legitimate software designed to encrypt web communication using digital certificates.
The manufacturer of the said legitimate software would have been compromised through numerous earlier attacks — by which SIGNBT loader malware, accompanied by a shellcode, would have maintained a persistent presence in the system.
Attackers would have also applied the already well-known LPEClient tool, previously seen targeting defense contractors, nuclear engineers and the cryptocurrency sector. This malware acts as the initial point of infection and plays a crucial role in profiling the victim and delivering the payload.
Researchers’ observations indicate that LPEClient‘s role in this and other attacks aligns with the tactics employed by the infamous Lazarus group, as also seen in the notorious 3CX supply chain attack. Subsequently, investigations have revealed that this pattern of recurring attacks indicates a determined and focused adversary, likely harboring an intention to steal critical source code or disrupt the software supply chain.
Furthermore, the threat actor(s) consistently exploited vulnerabilities in the firm’s software, and then broadened their attack scope by targeting other firms that were using the unpatched version of the legitimate software.
This also brings to light the fact that, despite software vulnerabilities being reported and patched, organizations worldwide still somehow continue to use flawed versions of compromised legitimate software without any patching or updating.
Said Seongsu Park, Lead Security Researcher, Kaspersky Global Research and Analysis Team, the firm disclosing its research on this cyber trend: “The Lazarus group’s continued activity is a testament to their advanced capabilities and unwavering motivation. They operate on a global scale, targeting a wide range of industries with a diverse toolkit of methods. This signifies an ongoing and evolving threat that demands heightened vigilance.”
Defenders are reminded of the importance of keeping all software updated, patched for vulnerabilities and kept under constant vulnerability vigils.