The Lazarus Group, believed to be linked to North Korea, has been observed exploiting undisclosed software vulnerabilities to breach a South Korean financial business entity twice within a year.
The first attack in May 2022 involved the use of a vulnerable version of a widely-used certificate software, while the second attack in October 2022 exploited a zero-day in the same program.
Cybersecurity firm AhnLab Security Emergency Response Center (ASEC) has refrained from disclosing further details, citing unverified vulnerabilities and the lack of software patches. The group leveraged the BYOVD attack to disable the AhnLab V3 anti-malware engine and used timestamping to modify timestamps and change file names.
The attack allowed multiple backdoor payloads to be installed and connected to a remote command-and-control (C2) server. This development follows ESET’s report of a new implant called WinorDLL64 deployed by the Lazarus Group using the malware loader Wslink.
ASEC warns that the group constantly alters its tactics, changes its TTPs to disable security products and uses anti-forensic techniques to delay detection and analysis.