Pierluigi Paganini October 27, 2021

North Korea-linked Lazarus APT group is extending its operations and started targeting the IT supply chain on new targets.

North Korea-linked Lazarus APT group is now targeting also IT supply chain, researchers from Kaspersky Lab warns.

The activity of the Lazarus APT group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

The APT group used a new variant of the BLINDINGCAN backdoor in attacks aimed at a Latvian IT vendor and a South Korean think tank, respectively in May and June.

The nation-state actor used its multi-platform malware framework MATA framework.

The MATA malware framework could target Windows, Linux, and macOS operating systems, the malware framework implements a wide range of features that allow attackers to fully control the infected systems.

According to the experts from Kaspersky that first analyzed the framework, the MATA campaign has been active at least since April of 2018.

Kaspersky experts reported that the Lazarus APT is building supply-chain attack capabilities with an updated DeathNote (aka Operation Dream Job) malware cluster that is an updated variant of the BlindingCan RAT. The use of the BlindingCan RAT was first documented by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in August 2020. The BlindingCan was employed in attacks on US and foreign companies operating in the military defense and aerospace sectors.

The BLINDINGCAN RAT implements the following built-in functions-:

• Retrieve information about all installed disks, including the disk type and the amount of free space on the disk
• Get operating system (OS) version information
• Get Processor information
• Get system name
• Get local IP address information
• Get the victim’s media access control (MAC) address.
• Create, start, and terminate a new process and its primary thread
• Search, read, write, move, and execute files
• Get and modify file or directory timestamps
• Change the current directory for a process or file
• Delete malware and artifacts associated with the malware from the infected system

The CISA MAR provided indicators of compromise (IoCs), Yara rules, and other technical info that could be used by system administrators to discover compromise systems within their networks.

“Our investigation revealed indications that point to Lazarus building supply-chain attack capabilities. In one case, we found that the infection chain stemmed from legitimate South Korean security software executing a malicious payload; and in the second case, the target was a company developing asset monitoring solutions in Latvia, an atypical victim for Lazarus.” reads the report published by Kaspersky.

This is the first IT supply chain attack conducted by Lazarus that was documented by Kaspersky researchers.

Ariel Jungheit from Kaspersky’s Global Research and Analysis Team (GReAT) explained the dangers of supply chain attacks like the SolarWinds hack and warned of nation-state actors investing in such capabilities.

“When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization – something we saw clearly with the SolarWinds attack last year,” Jungheit said. “With threat actors investing in such capabilities, we need to stay vigilant and focus defense efforts on that front.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, supply chain attack)

[adrotate banner=”5″]

[adrotate banner=”13″]