The online security company ESET communicates about a new attack from the Lazarus group. In this opportunity it corresponds to an attack to the supply chain in South Korea. As a result, cyber-criminals are attempting to deploy Lazarus malware. Taking advantage of users accessing government financial sites protected by WIZVERA VeraPort software.

The Lazarus group is a team of hackers with links to North Korea. Also called HIDDEN COBRA or Zinc. In 2014 they came to public light for the famous attack on Sony Pictures. However, since 2009 the group has been blamed for attacks. Among the main attacks related to the group are: an espionage campaign against the South Korean government after 2009. Similarly, the “ten rainy days” attack in 2011 and DarkSeoul in 2013. Both of them involved the South Korean media and financial institutions.

New modus operandi of Lazarus in South Korea

“The attackers camouflaged the Lazarus samples as legitimate software, with file names, icons and resources similar to official software. The combination of the compromised sites with WIZVERA VeraPort support and some specific VeraPort configurations is what allowed this attack to be successful”

Peter Kálnai and Cherepanov, ESET researcher who has analyzed the Lazarus attack together with

It is important to mention that WIZVERA VeraPort is an integration installation program. This South Korean application helps manage the additional security software. Usually the software is used by South Korean government and bank websites. “For some of these websites, it is mandatory to have WIZVERA VeraPort installed so that users can access the sites’ services. In this way “Lazarus attackers abused the above mechanism of installing security software in order to deliver Lazarus malware from a legitimate but compromised website”. This is what the ESET report says.




Simplified scheme of the WIZVERA supply-chain attack conducted by the Lazarus group from the ESET website

As a result, Lazarus uses a novel method of attack. In the recorded attacks, cyber-crooks made malicious use of legitimate security solutions and digital certificates stolen from two different companies. Specifically ALEXIS SECURITY GROUP, LLC and DREAM SECURITY USA INC. The attackers used irregularly obtained code signing certificates to sign the malware samples. Ironically, one of these certificates had been issued to the US subsidiary of a South Korean security company.

Despite the multiple attacks perpetrated by this group. And of the historical transcendence in South Korea. The information about the Lazarus group is little. In fact, the mastermind behind the team remains unknown. Likewise, the information stolen by the group remains unfiltered to the public. Hopefully, with the recent investigations, those responsible will emerge and the attacks will be stopped.

Leave a Comment

Your email address will not be published. Required fields are marked *