At least six organizations in South Korea have been targeted as part of a campaign by the Lazarus Group associated with Vipul North Korea. Operational,
According to a report by Kasperki published today, the activity targeted South Korea’s software, IT, financial, semiconductor manufacturing and telecommunications industries. The initial evidence of the agreement was first discovered in November 2024.
The expedition included “the south Korean software included a sophisticated combination of a strategy of a water hole and sophisticated exploitation,” said security researchers Sojun Royu and Vasili Birdnikov. “One day vulnerability was also used in the inorix agent for the lateral movement.”
The attacks have been observed that they pave the way for laser tools such as dangerous, agammon, vacant, signbate and copperhej for the variants of the known Lazar Tool.
This makes these intruders particularly effective, a possible exploitation of a safety vulnerability in Cross X, a legitimate software is prevalent in South Korea that is capable of using security software in online banking and government websites, which is to support anti-keyelogging and certificate-based digital signatures.
The Russian cyber security seller said, “The Lazarus Group reflects a strong understanding of these nuances and is using a South Korea-targeted strategy that combines weaknesses with the attacks of water holes into such software.”
The exploitation of a safety defect in the inorix agent for the lateral movement is notable for the fact that a similar approach has also been adopted by Androil Sub-Cluster of the Lazarus group in the past to distribute malware such as Volgar and Anderdoor.
The initial point of the latest wave of attacks is a watering hole attack, which activated the deployment of threatening after target after visiting various South Korean online media sites. Visitors who land on sites are filtered using a server-side script before redirecting into an unfavorable-controlled domain to serve malware.
“We assess with moderate belief that the redirect site may have executed a malicious script, the target can target a possible defect in the cross X installed on the PC, and launch malware,” the researchers said. “The script eventually executed the valid synchost.exe and injecting a shellcode, which loaded a type of threats in that process.”
In
In addition, the malware families such as LPECLINENT for victim profiles and payload delivery, and a downloader dubbed Agamemnon to download and execute the additional payloads obtained from the command-end-control (C2) server, as well as the Hales Gate technology to bypass safety solutions during execution.
A payload downloaded by Agamemnon is a device designed to carry out the lateral movement by exploiting a safety defect in the inorix agent file transfer tool. Kaspersky stated that its investigation revealed an additional arbitrary file download zero-day vulnerability in the inorix agent, which has since been patched by developers.
“Special attacks targeting the supply chains in South Korea of the Lazarus Group expected to continue in the future,” Kaspasky said.
“The attackers are also trying to develop new malware or reduce identity by increasing existing malware. In particular, they show an increase in communication with C2, command structure and the way they send and receive data.”
