Security researchers have linked Lazarus Group with two attacks targeting institutions related to COVID-19 vaccine development and response. Their data indicates the North Korea-backed group, best known for hacking for financial gain and even sabotage, is strongly interested in COVID-19 intelligence.
The Kaspersky research team reports Lazarus Group targeted a pharmaceutical company at the end of September; during its investigation, it found the group had also targeted a Ministry of Health related to COVID-19 response. While each attack used different tactics, techniques, and procedures, researchers found connections between them and attribute the activity to Lazarus Group "with high confidence."
On Oct. 27, 2020, two Windows servers were compromised at a Ministry of Health. Researchers were unable to identify the attack vector but confirm a sophisticated malware cluster, dubbed "wAgent," was installed on the servers. The malware's main component only works in memory, they say, and it fetches additional payloads from a remote server.
In this attack, the malware was directly executed on the victim's machine. Using the wAgent backdoor, the attacker installed an additional wAgent payload with a persistence mechanism. This wAgent installer works similarly to the wAgent malware loader, and it is tasked with loading an embedded payload after decrypting it with a 16-byte key from the command line.
In the decrypted payload, the malware creates a file path to carry out the infection. The final payload fetches additional payloads from the command-and-control (C2) server — possibly a fully featured backdoor — and loading it in memory, researchers explain in a writeup of the findings.
The wAgent malware used here has the same infection scheme as attacks on cryptocurrency businesses involving Lazarus Group, they note. The cases employed a similar malware naming scheme, used a Security Support Provider as a persistence mechanism, and have "almost identical" debugging messages.
A different payload, dubbed Bookcode malware, was used in the Sept. 25 incident targeting a pharmaceutical company. Lazarus Group had previously deployed Bookcode in an attack on a South Korean software company, possibly targeting its source code or supply chain. It has also been spotted distributing Bookcode via spear-phishing or website compromise in earlier attacks.
Researchers have previously determined that Bookcode is exclusively used by Lazarus Group.
The victim organization in this case is authorized to produce and distribute COVID-19 vaccines and has one in development, researchers say. The researchers were able to identify a loader sample, a file tasked with loading an encrypted payload in the system folder. After decrypting this, the loader finds the Service Host Process with certain parameters and injects the payload into it.
Once the malware is started, it sends data about the victim to the attackers' infrastructure. After communicating with the C2 server, it provides backdoor functionalities. The campaign deploying the Bookcode cluster is intended to extract information from the infected host, including password hashes, researchers explain. It also uses Windows commands to check network connectivity and uses the WakeMeOnLan tool to scan hosts in the same network.
In working with the pharmaceutical firm to remediate the attack, the Kaspersky team found an additional configuration file containing four C2 servers, all of which are compromised servers located in South Korea.
"These two incidents reveal Lazarus Group's interest in intelligence related to COVID-19," says Kaspersky security expert Seongsu Park. "While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well."
Kaspersky believes all entities involved in vaccine research, crisis response, and related activities should be on high alert for cyberattacks, Park adds.
Today's update arrives amid ongoing attacks targeting the COVID-19 vaccine supply chain. Earlier this month, researchers with IBM Security's X-Force reported a spear-phishing campaign targeting individuals across several organizations involved with the supply chain. The activity, which appeared designed to harvest credentials for future attacks, threatens components and participants in the "cold chain" that ensures vaccines are stored and transported safely.