Kaspersky laboratory experts have uncovered a new campaign by the North Korean group of Lazarus, in which an unnamed supplier was targeted using vulnerabilities in other software. The attacks culminated in the deployment of harmful families, including Signbt and Lpeclient, which were used to profile victims and deliver payloads.
Kaspersky laboratory pointed out that the targeted company, which had previously fallen victim to Lazarus, indicated an attempt to steal source code or compromise the software supply chain, similar to the attack on the 3CX supply chain. Lazarus continued to exploit vulnerabilities in the company while attacking other software manufacturers, with several victims identified as of mid-July 2023.
The victims were attacked using an undisclosed legitimate security tool designed for encrypting web-communications with digital certificates. The exact mechanism of distribution for Signbt remains unknown.
The attack chains employed various tactics, utilizing a bootloader to launch the malicious Signbt, which establishes contact with a remote server to receive further commands. The backdoor is equipped with a wide range of capabilities for monitoring the victim system, including listing processes, file operations, and deploying payloads such as lpeclient and accounting data collection utilities. Lpeclient was the main tool for delivering malicious software in at least three different groups in the Lazarus campaign in 2023.
In one of these campaigns, the Gopuram implant was introduced, which was used in cyber attacks on cryptocurrency companies through a trojanized version of the vocabulary and video conferences software, 3CX.