The infamous North Korea state-sponsored Lazarus APT was recently found targeting IT supply chains. It used the MATA framework and propagated a new strain of the DeathNote malware. Now, the group has been discovered attempting to hack security researchers, leveraging a new tactic.
Diving into the details
Lazarus is using a trojanized version of the IDA Pro reverse engineering application. Cybersecurity researchers usually use IDA to examine bugs and malware in legitimate software to ascertain the malicious behaviors exhibited by them. Now, since this is expensive software, researchers at times get its pirated version. Pirated versions come with the risk of containing malicious executables, which is the case with a malicious version of IDA Pro 7.5. This application is being disseminated online. While researchers are not yet sure about how the installer is being propagated, it has been in distribution since Q1 2021.
About the supply chain attacks
Lazarus targeted a South Korean security software to target a think tank.
The threat actors targeted a Latvian asset monitoring solutions developer.
The use of the MATA framework suggests that the APT group may expand its IT supply chain attacks.
Not just Lazarus
Cisco Talos uncovered a new malware campaign that has been launched by the Kimsuky APT group since June. Kimsuky is another North Korea state-sponsored threat actor active since 2012. The attacker is distributing malware to South Korean geopolitical and aerospace research agencies. Kimsuky is deploying an ever-evolving set of implants belonging to the Brave Prince/Gold Dragon family.
The bottom line
Lazarus is a highly motivated APT that uses a variety of malware and infrastructure to target every sector. This actor has relentlessly created new infection chains to incapacitate victims. Therefore, a robust cyber defense architecture is the need of the hour, which would prevent organizations from falling prey to these vicious threat actors.