North Korean Hackers Suspected of Supply Chain AttacksESET: Attackers Used Hijacked Software to Target South Korean Organizations
North Korean hackers are suspected of carrying out a supply chain attack that targeted businesses, including financial firms, in South Korea using stolen digital certificates, according to researchers with security firm ESET.
An analysis of the tools used during this attack and some of the targets selected has led ESET to attribute this campaign to the North Korean Lazarus Group, which is also called Hidden Cobra (see: Defense Contractor Hacking More Expansive Than First Thought).
The hackers apparently used illegally obtained or stolen code-signing certificates to sign the malware samples used as part of the attack, ESET says. In at least one case, the stolen certificate appears to have come from the U.S. branch of a South Korean security company.
"Attackers are particularly interested in supply chain attacks because they allow them to covertly deploy malware on many computers at the same time," according to the ESET report released Monday.
The ESET report notes these types of hacking campaigns are difficult to pull off, which means the campaign was likely limited.
"A successful malware deployment using this method requires a number of preconditions; that’s why it was used in limited Lazarus campaigns," Anton Cherepanov and Peter Kálnai, threat researchers with ESET, note in the report.
In the campaign that ESET uncovered, the hackers targeted Wizvera VeraPort security software, which is used by many South Korean government agencies, as well as some banking firms, for their websites. The software creates a secure browser plug-in that helps verify the identity of the user.
In South Korea, users are typically required to download and install additional security software when visiting government or banking sites, and the Wizvera VeraPort is one of the tools available, according to the report.
In the first part of the campaign, Lazarus attempted to corrupt a site that uses the Wizvera software by either sending a phishing email or using some other means that allow files to install malicious binaries, the researchers note.
Once those binaries were installed, the stolen certificates were then used to make the Lazarus malware appear legitimate to anyone attempting to download it, according to the report.
"The attackers camouflaged the Lazarus malware samples as legitimate software," Cherepanov and Kálnai note in the report. "These samples have similar filenames, icons and version info resources as legitimate South Korean software often delivered via Wizvera VeraPort."
The report stresses, however, that these attacks are aimed at only websites that use Wizvera VeraPort and not at the software company itself.
"Once downloaded, they are verified using a strong cryptographic algorithm (RSA), which is why attackers can’t easily modify the content of these configuration files or set up their fake website," according to the report. "However, the attackers can replace the software to be delivered to Wizvera VeraPort users from a legitimate but compromised website. We believe this is the scenario the Lazarus attackers used."
Complexities of the Attack
The ESET report notes that the complexity of this attack, from stealing the certificates to getting the potential victim to visit a compromised site, makes these types of campaigns limited in scope.
The attack also requires that the potential victim must already have the Wizvera VeraPort software installed on a device, and the victim would need to be lured to visit a compromised site that contains the malware.
If all these steps take place, a dropper is installed on the victim's device, which then connects to a command-and-control server controlled by the hackers. A remote access Trojan, or RAT, is then installed, which can act as a backdoor or exfiltrate data, according to the report.
"It's the combination of compromised websites with Wizvera VeraPort support and specific VeraPort configuration options that allow attackers to perform this attack," the ESET researchers say.
Lazarus, or Hidden Cobra, is suspected of carrying out a series of high-profile attacks, including the Sony Pictures hack of 2014 as well as the WannaCry ransomware attacks of 2017 (see: US Offers $5 Million Reward for N. Korea Hacker Information).
Since those attacks, U.S. government agencies, including the FBI, have issued regular warnings about North Korea-sponsored hackers and have published data on nearly 30 malware variants associated with hacking groups suspected of working with the regime (see: Group Behind WannaCry Now Using New Malware).