Lazarus Associated with New Malware Exploiting INITECH Process

More details about the campaign

• According to AhnLab ASEC, the malware had infected organizations by disguising as an executable of INISAFE CrossWeb EX V3, a security program of INITECH.
• The malware was injected in the form of a DLL file into inisafecrosswebexsvc.exe to evade detection.
• The executable appeared to be signed by INITECH, hence the file could bypass security solutions.
• It is named SCSKAppLink.dll and includes a code to access the URL for malware distribution.
• AhnLab considers it as a new malware type made by Lazarus and has added the IoCs of the malware strain discovered so far.

Lazarus’ other recent activities

• AhnLab ASEC further mentions that an identical malware type was also observed in another campaign targeting the chemical sector.
• The campaign is an extension of the ‘Operation Dream Job’ that has been active since 2020.
• Named Pompilus, the campaign lured the employees working in the chemical sector into installing malware that could further be used for espionage.

Some noteworthy observations

• While Lazarus is actively launching attacks across multiple organizations, a new group that is likely to be associated with the North-Korean hackers has been uncovered by Zscalers’ ThreatLabz research team.
• In 2021, the mysterious cybercriminal gang had launched a massive phishing attack through emails, posing as Naver, against South Koreans.
• In 2022, the same threat actors expanded the attack by spoofing various important entities in South Korea, including Korea Internet Information Center (KRNIC), Korean security vendors such as Ahnlab, and cryptocurrency exchanges such as Binance.

Final words