Lazarus Group is believed to be behind a spate of attacks that leverage stolen digital certificates tied to browser software that secures communication with government and financial websites in South Korea.
The Lazarus cybercriminal group is using a novel supply-chain attack against visitors to websites operated by the South Korean government and financial firms, in order to deliver dropper malware that eventually plants a remote access trojan on victim’s PCs.
The attacks use stolen digital certificates from two security firms, which allow Lazarus operators to corrupt a browser plug-in designed to protect users from being hacked.
“Attackers are constantly trying to find new ways to deliver malware to target computers. Attackers are particularly interested in supply-chain attacks, because they allow them to covertly deploy malware on many computers at the same time,” wrote ESET researchers in a technical brief outlining the discovery on Monday.
In this attack the Lazarus Group, notorious for its 2014 Sony Pictures Entertainment hack, exploits security software made by Wizvera. The software, called Wizvera VeraPort, is used by South Korean government websites and requires visitors to use a VeraPort browser plug-in for identity verification.
“To understand this novel supply-chain attack, you should be aware that South Korean internet users are often asked to install additional security software when visiting government or internet banking websites,” ESET wrote.
The Supply-Chain Attack
The first stage in the attack is for the Lazarus operators to corrupt a site running the Wizvera software. Researchers believe this is likely accomplished via tried-and-true spear-phishing attacks, which trick website administrators into downloading malicious files or linking them to a booby-trapped website hosting an exploit kit.
Once attackers achieve a foothold on a targeted server, malicious binaries that appear to be legitimate and use the stolen digital certificates are planted on a compromised website and pushed automatically to unsuspecting site visitors.
“The attackers camouflaged the Lazarus malware samples as legitimate software,” researchers wrote. “These samples have similar filenames, icons and VERSIONINFO resources as legitimate South Korean software often delivered via Wizvera VeraPort. Binaries that are downloaded and executed via the Wizvera VeraPort mechanism are stored in %Temp%\[12_RANDOM_DIGITS]\.”
“These configuration files are digitally signed by Wizvera,” researchers said. “Once downloaded, they are verified using a strong cryptographic algorithm (RSA), which is why attackers can’t easily modify the content of these configuration files or set up their own fake website. However, the attackers can replace the software to be delivered to Wizver VeraPort users from a legitimate but compromised website. We believe this is the scenario the Lazarus attackers used.”
Dropper Dropped: Now What?
According to ESET, the two illegally obtained code-signing certificates are from security firms Alexis Security Group and Dream Security USA, the latter being the U.S. branch of Wizvera.
Researchers also note that Wizvera VeraPort’s configuration has two options. One option is to not just verify digital signatures, but also to verify the hash of downloaded binaries. If configured to also check and verify the download’s hash, the “attack cannot be performed so easily, even if the website with Wizvera VeraPort is compromised.”
When configured to only check the digital certs, the malicious dropper binaries are camouflaged via polymorphic obfuscation in the code. In other words, two files (the Loader, Btserv.dll and the Downloader, bcyp655.tlb) go undetected and compile themselves on the target’s system to deliver the next stage of the attack.
That next stage delivers the Lazarus remote access trojan. Commands include operations on the victim’s filesystem and download additional tools from the attacker’s arsenal, researchers wrote.
“This time we analyzed how the Lazarus Group used a very interesting approach to target South Korean users of Wizvera VeraPort software. As mentioned in our analysis, it’s the combination of compromised websites with WIZVERA VeraPort support and specific VeraPort configuration options that allow attackers to perform this attack,” ESET researchers wrote.
Mitigation against the attacks include enabling the Wizvera options that specifying hashes of binaries in the VeraPort configuration.