Carding 4 Carders
Professional
What are the consequences of an attack whose victims are kept secret?
Kaspersky Lab specialists attributed a new campaign to the North Korean group Lazarus, during which an unnamed software vendor was compromised by exploiting vulnerabilities in other software.
According to the researchers, the attacks culminated in the deployment of malware families such as SIGNBT and LPEClient. The latter is used by the group to profile victims and deliver payloads.
Kaspersky Lab noted that the company that developed the vulnerable software has previously been a victim of Lazarus several times, which indicates an attempt to steal the source code or compromise the software supply chain, as in the case of the 3CX supply chain attack.
The Lazarus group continued to exploit vulnerabilities in the company's software, while simultaneously attacking other software vendors. As of mid-July 2023, several victims have been identified.
According to experts, the victims were attacked using a legitimate security tool designed to encrypt web communications using digital certificates. The name of the software was not disclosed, and the exact mechanism of distribution of SIGNBT remains unknown.
In addition to using various tactics to establish and maintain resilience, attack chains use a bootloader to launch SIGNBT malware, whose main function is to establish contact with the remote server and receive further commands to execute on the infected host.
The backdoor is equipped with a wide range of features for controlling the victim's system. This includes process enumeration, file and directory operations, and deployment of payloads, including LPEClient and various credential collection utilities. It is noted that LPEClient was the main tool for delivering malware at the last stage of attacks in at least 3 different campaigns of the group in 2023.
One of these campaigns paved the way for the introduction of the Gopuram implant, which was used in cyber attacks on cryptocurrency companies using a Trojan version of the 3CX voice and video conferencing software.
Kaspersky Lab specialists attributed a new campaign to the North Korean group Lazarus, during which an unnamed software vendor was compromised by exploiting vulnerabilities in other software.
According to the researchers, the attacks culminated in the deployment of malware families such as SIGNBT and LPEClient. The latter is used by the group to profile victims and deliver payloads.
Kaspersky Lab noted that the company that developed the vulnerable software has previously been a victim of Lazarus several times, which indicates an attempt to steal the source code or compromise the software supply chain, as in the case of the 3CX supply chain attack.
The Lazarus group continued to exploit vulnerabilities in the company's software, while simultaneously attacking other software vendors. As of mid-July 2023, several victims have been identified.
According to experts, the victims were attacked using a legitimate security tool designed to encrypt web communications using digital certificates. The name of the software was not disclosed, and the exact mechanism of distribution of SIGNBT remains unknown.
In addition to using various tactics to establish and maintain resilience, attack chains use a bootloader to launch SIGNBT malware, whose main function is to establish contact with the remote server and receive further commands to execute on the infected host.
The backdoor is equipped with a wide range of features for controlling the victim's system. This includes process enumeration, file and directory operations, and deployment of payloads, including LPEClient and various credential collection utilities. It is noted that LPEClient was the main tool for delivering malware at the last stage of attacks in at least 3 different campaigns of the group in 2023.
One of these campaigns paved the way for the introduction of the Gopuram implant, which was used in cyber attacks on cryptocurrency companies using a Trojan version of the 3CX voice and video conferencing software.
