North Korea-linked Lazarus APT group is now targeting also IT supply chain, researchers from Kaspersky Lab warns.
The activity of the Lazarus APT group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.
The APT group used a new variant of the BLINDINGCAN backdoor in attacks aimed at a Latvian IT vendor and a South Korean think tank, respectively in May and June.
The nation-state actor used its multi-platform malware framework MATA framework.
The MATA malware framework could target Windows, Linux, and macOS operating systems, the malware framework implements a wide range of features that allow attackers to fully control the infected systems.
According to the experts from Kaspersky that first analyzed the framework, the MATA campaign has been active at least since April of 2018.
Kaspersky experts reported that the Lazarus APT is building supply-chain attack capabilities with an updated DeathNote (aka Operation Dream Job) malware cluster that is an updated variant of the BlindingCan RAT. The use of the BlindingCan RAT was first documented by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in August 2020. The BlindingCan was employed in attacks on US and foreign companies operating in the military defense and aerospace sectors.
The BLINDINGCAN RAT implements the following built-in functions-:
The CISA MAR provided indicators of compromise (IoCs), Yara rules, and other technical info that could be used by system administrators to discover compromise systems within their networks.
“Our investigation revealed indications that point to Lazarus building supply-chain attack capabilities. In one case, we found that the infection chain stemmed from legitimate South Korean security software executing a malicious payload; and in the second case, the target was a company developing asset monitoring solutions in Latvia, an atypical victim for Lazarus.” reads the report published by Kaspersky.
This is the first IT supply chain attack conducted by Lazarus that was documented by Kaspersky researchers.
Ariel Jungheit from Kaspersky’s Global Research and Analysis Team (GReAT) explained the dangers of supply chain attacks like the SolarWinds hack and warned of nation-state actors investing in such capabilities.
“When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization – something we saw clearly with the SolarWinds attack last year,” Jungheit said. “With threat actors investing in such capabilities, we need to stay vigilant and focus defense efforts on that front.”
(SecurityAffairs – hacking, supply chain attack)