The Lazarus hacking group has persistently breached a software vendor despite patches and warnings from the developer. These repeated breaches suggest that the hackers were intent on stealing valuable source code or manipulating the software supply chain.
The breach was uncovered in July 2023, revealing that Lazarus employed a diverse infection chain and post-compromise toolset. This attack is part of a broader campaign where Lazarus targeted multiple software vendors from March to August 2023.
Notably, Lazarus targeted legitimate security software used for web communications encryption, although the exact method of exploitation remains undisclosed.
The exploitation resulted in the deployment of the SIGNBT malware, along with shellcode for stealthy execution. Persistence was achieved by adding a malicious DLL to the startup process and modifying the Windows Registry.
This DLL performed victim ID checks before decrypting and loading the SIGNBT payload. SIGNBT facilitated command and control communications, allowing Lazarus to load credential dumping tools and the LPEClient malware on compromised systems. LPEClient, an info-stealer and malware loader, demonstrated significant evolution in its latest versions to avoid detection.
Lazarus remains a highly active and dangerous threat actor with a broad scope across regions and industries. Their persistence and sophistication underscore the importance of proactively patching software and preventing the exploitation of vulnerabilities for initial compromise.
To protect against persistent threat actors like Lazarus, organizations should prioritize cybersecurity measures. Regular software patching and updates are crucial to fix vulnerabilities that malicious actors may exploit. Continuous monitoring for suspicious activities and network intrusions can help detect threats early.
Implementing robust access controls and endpoint security solutions can reduce the risk of compromise. Security awareness training for employees can also thwart initial attack vectors like phishing. Collaboration with cybersecurity experts and agencies is essential to share threat intelligence and stay ahead of evolving threats.