Lazarus Group Steps Up Its Game In South Korean Financial Institution Hack

CryptoMode North Korea Lazarus Group

The Lazarus Group, a North Korea-linked cyber threat group, has been found to have exploited vulnerabilities in undisclosed software to breach a South Korean financial entity twice within a year. 

The first attack, which occurred in May 2022, involved using a vulnerable version of a certificate software widely used by public institutions and universities. The second attack, in October 2022, used a zero-day vulnerability in the same software.

Cybersecurity firm AhnLab Security Emergency Response Center (ASEC) has declined to disclose further details. Moreover, they cite that the vulnerability has not been fully verified, and no software patch has been released. 

The Lazarus Group gained access by an unknown method, then used the zero-day vulnerability to move laterally. Additionally, the group disabled the AhnLab V3 anti-malware engine via a BYOVD attack, a technique it has employed in recent months. The group also employed other methods to hide its activities, including file name changes, timestomping, and anti-forensic techniques.

The attack allowed the group to deliver multiple backdoor payloads, including Keys.dat and Settings.vwx. Those files are designed to connect to a remote command-and-control server and retrieve additional binaries. Such binaries could then be executed in a fileless manner.

Last week, cybersecurity firm ESET reported on a new implant called WinorDLL64. The threat is deployed by the Lazarus Group using a malware loader named Wslink. ASEC warned that the Lazarus Group continues to research vulnerabilities in various software. The group constantly changes tactics to evade detection and infiltrate Korean institutions and companies.

The use of advanced and constantly evolving techniques by cyber threat groups highlights the need for continued vigilance and proactive cybersecurity measures by organizations worldwide.

Lazarus Group has also been involved in various cryptocurrency-related hacks and thefts. The Ronin Bridge incident is attributed to this collective, among other events. In addition, the entity often launders its stolen proceeds through mixers and tumblers to mask their tracks. 

None of the information on this website is investment or financial advice and does not necessarily reflect the views of CryptoMode or the author. CryptoMode is not responsible for any financial losses sustained by acting on information provided on this website by its authors or clients. Always conduct your research before making financial commitments, especially with third-party reviews, presales, and other opportunities.