The fervently-linked has targeted at least six North Korean businesses as part of Operation SyncHole, a battle titled” Operation SyncHole.”
According to a statement from Kaspersky released today, the exercise targeted South Korea’s application, IT, economic, semiconductor manufacturing, and communications industries. The second instances of sacrifice were found in November 2024.
Safety researchers Sojun Ryu and Vasily Berdnikov described the campaign as” a powerful combination of a watering hole approach and vulnerability abuse within South Korean application.” Innorix Agent had a one-day risk for longitudinal movement as well.
The attacks have been documented, opening the way for variations of well-known Lazarus tools like , AG AMEMNON, , , and .
The possible abuse of a security risk in Cross EX, a legitimate application used in South Korea, to allow the use of security software in online banking and government websites to help anti-keylogging and certificate-based digital signatures is what makes these intrusions particularly successful.
The Russian security seller claimed that the Lazarus team uses a South Korean-targeted strategy that combines vulnerabilities in such application with watering hole attacks.
In addition to the fact that a similar strategy has also been used by the of the Lazarus Group in the past to distribute malware like Volgmer and Andardoor, the abuse of a security weakness in Innorix Agent for lateral movements is significant.
A watering hole attack, which became the starting point for the most recent wave of attacks, led to the deployment of ThreatNeedle after the targets visited several North Korean online media outlets. Before moving customers to an adversary-controlled area to serve the malware, customers are filtered using a server-side text.
The researchers said with “medium assurance that the diverted webpage may have launched malware while attempting to fix a potential weakness in Cross EX installed on the target PC”. The script finally ended up running the reasonable SyncHost. files and injected a shellcode that loaded a ThreatNeedle version into that method.
The disease series has been observed moving in two phases, with SIGNBT and COPPERHEDGE acting as the initial stages, ThreatNeedle and wAgent in the early stages, and then login dumping tools on the affected hosts.
Additionally being used are malware families that use the command-and-control ( C2 ) server, such as LPEClient, for victim profiling and payload delivery, and Agamemnon, a downloader that uses the Hell’s Gate method to download and execute additional payloads received from the command-and-control ( C2 ) server, to bypass security solutions while performing other tasks.
A security flaw in the Innorix Agent file transfer tool was used to perform lateral movement in one payload that Agamemnon downloaded by Agamemnon. Kapspersky claimed that its investigation found an additional arbitrary file download zero-day vulnerability in Innorix Agent that the developers have since patched.
According to Kaspersky,” The Lazarus group’s specialized attacks targeting supply chains in South Korea are anticipated to continue in the future.”
” The attackers are also making efforts to reduce detection by creating new malware or improving existing malware,” the statement continues. They improve communication with C2, the C2 command structure, and the way data is sent and received, among other things.