Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/23/2020
01:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Lazarus Group Seeks Intelligence Related to COVID-19

Researchers attribute attacks targeting a pharmaceutical company and a government ministry related to COVID-19 response.

Security researchers have linked Lazarus Group with two attacks targeting institutions related to COVID-19 vaccine development and response. Their data indicates the North Korea-backed group, best known for hacking for financial gain and even sabotage, is strongly interested in COVID-19 intelligence. 

Related Content:

Hypothesis: Cyber Attackers Are After Your Scientific Research

Building an Effective Cybersecurity Incident Response Team

New From The Edge: 5 Email Threat Predictions for 2021

The Kaspersky research team reports Lazarus Group targeted a pharmaceutical company at the end of September; during its investigation, it found the group had also targeted a Ministry of Health related to COVID-19 response. While each attack used different tactics, techniques, and procedures, researchers found connections between them and attribute the activity to Lazarus Group "with high confidence." 

On Oct. 27, 2020, two Windows servers were compromised at a Ministry of Health. Researchers were unable to identify the attack vector but confirm a sophisticated malware cluster, dubbed "wAgent," was installed on the servers. The malware's main component only works in memory, they say, and it fetches additional payloads from a remote server.

In this attack, the malware was directly executed on the victim's machine. Using the wAgent backdoor, the attacker installed an additional wAgent payload with a persistence mechanism. This wAgent installer works similarly to the wAgent malware loader, and it is tasked with loading an embedded payload after decrypting it with a 16-byte key from the command line. 

In the decrypted payload, the malware creates a file path to carry out the infection. The final payload fetches additional payloads from the command-and-control (C2) server — possibly a fully featured backdoor — and loading it in memory, researchers explain in a writeup of the findings. 

The wAgent malware used here has the same infection scheme as attacks on cryptocurrency businesses involving Lazarus Group, they note. The cases employed a similar malware naming scheme, used a Security Support Provider as a persistence mechanism, and have "almost identical" debugging messages.

A different payload, dubbed Bookcode malware, was used in the Sept. 25 incident targeting a pharmaceutical company. Lazarus Group had previously deployed Bookcode in an attack on a South Korean software company, possibly targeting its source code or supply chain. It has also been spotted distributing Bookcode via spear-phishing or website compromise in earlier attacks.

Researchers have previously determined that Bookcode is exclusively used by Lazarus Group.

The victim organization in this case is authorized to produce and distribute COVID-19 vaccines and has one in development, researchers say. The researchers were able to identify a loader sample, a file tasked with loading an encrypted payload in the system folder. After decrypting this, the loader finds the Service Host Process with certain parameters and injects the payload into it. 

Once the malware is started, it sends data about the victim to the attackers' infrastructure. After communicating with the C2 server, it provides backdoor functionalities. The campaign deploying the Bookcode cluster is intended to extract information from the infected host, including password hashes, researchers explain. It also uses Windows commands to check network connectivity and uses the WakeMeOnLan tool to scan hosts in the same network.

In working with the pharmaceutical firm to remediate the attack, the Kaspersky team found an additional configuration file containing four C2 servers, all of which are compromised servers located in South Korea. 

"These two incidents reveal Lazarus Group's interest in intelligence related to COVID-19," says Kaspersky security expert Seongsu Park. "While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well."

Kaspersky believes all entities involved in vaccine research, crisis response, and related activities should be on high alert for cyberattacks, Park adds. 

Today's update arrives amid ongoing attacks targeting the COVID-19 vaccine supply chain. Earlier this month, researchers with IBM Security's X-Force reported a spear-phishing campaign targeting individuals across several organizations involved with the supply chain. The activity, which appeared designed to harvest credentials for future attacks, threatens components and participants in the "cold chain" that ensures vaccines are stored and transported safely.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-20001
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
CVE-2021-27363
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...