The state-sponsored persistent threat group has been observed branching into multi-platform supply chain attacks and cyber-espionage.

Lazarus, a prolific advanced persistent threat (APT) by North Korea, has developed supply chain attack capabilities and used multi-platform (Windows, Linux, MacOS) framework for cyber-espionage goals in the past months.

Active since 2009, this APT group has been behind large-scale cyber-espionage and ransomware campaigns, and has been spotted attacking the defence industry and the cryptocurrency market.

Having a variety of advanced tools at their disposal, they seem to have chosen to apply them to new goals. In June 2021, researchers from Kaspersky observed Lazarus attacking the defense industry using the MATA malware framework not for financially-linked purposes, but for cyber-espionage.

The group had delivered a trojanized version of an application known to be used by their victim of choice —a well-known Lazarus characteristic. This was not the first time the Lazarus group has attacked the defense industry: their previous ThreatNeedle campaign was carried out in a similar fashion in mid-2020.

Supply chain attacks added

Lazarus has also been spotted with supply chain attack capabilities via an updated DeathNote cluster consisting of a slightly updated variant of BLINDINGCAN, malware previously reported by the US Cybersecurity and Infrastructure Security Agency (CISA).

Kaspersky researchers discovered campaigns targeting a South Korean think-tank and an IT asset monitoring solution vendor. In the first case discovered by Kaspersky researchers, Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload; in the second case, the target was a company developing asset monitoring solutions in Latvia, an atypical victim for Lazarus.

As part of the infection chain, Lazarus used a downloader named ‘Racket’ which they signed using a stolen certificate. The group compromised vulnerable web servers and uploaded several scripts to filter and control the malicious implants on successfully breached machines.

According to one of Kaspersky’s senior security researchers, Ariel Jungheit: “These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks. This APT group is not the only one seen using supply chain attacks. In the past quarter we have also tracked such attacks carried out by SmudgeX and BountyGlad. When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization—something we saw clearly with the SolarWinds attack last year.”