Kaspersky researchers saw The N. Korean state APT use a new variant of the Blinding Can RAT to breach a Latvian IT vendor & then a South Korean think tank.
The MATA malware framework can target 3 operating systems: Windows, Linux & macOS. MATA has historically been used to steal customer databases & to spread ransomware in various industries, but in June, Kaspersky researchers tracked Lazarus using MATA for cyber-espionage.
“The actor delivered a Trojanised version of an application known to be used by their victim of choice – a well-known Lazarus characteristic,” they wrote in Kaspersky’s latest quarterly threat intelligence report, released on Tues.
This is hardly the 1st time that Lazarus has attacked the defence industry, Kaspersky noted, pointing to the similar, mid-2020 Threat Needle campaign.
Lazarus Ups Supply-Chain Attacks
Researchers have also seen Lazarus building supply-chain attack capabilities with an updated Death Note (aka Operation Dream Job) malware cluster that consists of a slightly updated variant of the N. Korean remote-access trojan (RAT) known as Blinding Can.
The US Cybersecurity & Infrastructure Security Agency (CISA) sent out an alert about Blinding Can in Aug. 2020, warning that Hidden Cobra – another name for Lazarus that’s used by the US in general to refer to malicious cyber activity by the N. Korean govt. was using Blinding Can to steal intelligence out of military & energy outfits.
The researchers have also discovered campaigns targeting a S. Korean think tank – with an infection chain that included legitimate S. Korean security software that was carrying a malicious payload & a Latvian IT asset-monitoring tool vendor.
Infiltrating the Military
Researchers consider Lazarus, which has been active since at least 2009, to be 1 of the world’s most active threat players.
“This APT group has been behind large-scale cyber-espionage & ransomware campaigns & has been spotted attacking the defence & cryptocurrency markets,” Kaspersky researchers noted. “With a variety of advanced tools at their disposal, they appear to be applying them to new goals.”
Lazarus’ attacks against the military include a campaign discovered in July, in which the APT was spreading malicious documents to job-seeking engineers by impersonating defence contractors seeking job candidates.
Before that, in Feb., researchers linked a 2020 spear phishing campaign to the APT that aimed at stealing critical data from defence companies by leveraging an advanced malware called Threat Needle.
As part of the infection chain against the Latvian asset-monitoring tool vendor, Lazarus used a downloader named Racket that the threat players signed with a stolen certificate.
“The actor compromised vulnerable web servers & uploaded several scripts to filter and control the malicious implants on successfully breached machines,” Kaspersky said in the summary of its quarterly report, which can be seen in full on Secure List.
Ariel Jungheit, Senior Security Researcher for Kaspersky’s Global Research & Analysis Team (GReAT), stated in the summary that the recent discoveries show that Lazarus is still keen on infiltrating the defence industry, but it is also looking to expand into supply-chain attacks.
“When carried out successfully, supply chain attacks can cause devastating results, affecting much more than 1 organisation – something we saw clearly with the SolarWinds attack last year,” Jungheit explained, referring to the wave of supply-chain intrusions known as SolarWinds, started off by the Nobelium APT late last year.
“With threat actors investing in such capabilities, we need to stay vigilant & focus defence efforts on that front,” Jungheit cautioned.