Threat actors this sort of as the notorious Lazarus team are continuing to tap into the ongoing COVID-19 vaccine research to steal sensitive information and facts to velocity up their countries’ vaccine-enhancement endeavours.
Cybersecurity agency Kaspersky thorough two incidents at a pharmaceutical business and a government ministry in September and October leveraging unique applications and strategies but exhibiting similarities in the write-up-exploitation process, major the scientists to link the two attacks to the North Korean govt-joined hackers.
“These two incidents expose the Lazarus group’s desire in intelligence similar to COVID-19,” Seongsu Park, a senior security researcher at Kaspersky, mentioned. “Whilst the group is generally recognized for its financial things to do, it is a very good reminder that it can go right after strategic research as properly.”
Kaspersky did not identify the targeted entities but claimed the pharmaceutical agency was breached on September 25, 2020, with the attack against the authorities overall health ministry happening a month later on, on Oct 27.
Notably, the incident at the pharmaceutical company — which is associated in creating and distributing a COVID-19 vaccine — noticed the Lazarus team deploying the “BookCodes” malware, recently utilised in a supply-chain attack of a South Korean software program organization WIZVERA to install remote administration resources (RATs) on focus on devices.
The first entry vector utilised in the attack remains unknown as nevertheless, but a malware loader identified by the scientists is claimed to load the encrypted BookCodes RAT that arrives with abilities to gather process information and facts, obtain remote instructions, and transmit the benefits of the execution to command-and-command (C2) servers located in South Korea.
In a separate marketing campaign aimed at the health ministry, the hackers compromised two Windows servers to set up a malware regarded as “wAgent,” and then employed it to retrieve other malicious payloads from an attacker-managed server.
As with the prior case, the researchers stated they ended up unable to identify the starter module utilized in the attack but suspect it to have a “trivial position” of managing the malware with particular parameters, pursuing which wAgent hundreds a Windows DLL containing backdoor functionalities directly into memory.
“Applying this in-memory backdoor, the malware operator executed quite a few shell instructions to collect victim facts,” Park mentioned.
Irrespective of the two malware clusters used in the assaults, Kaspersky said the wAgent malware employed in October shared the exact same infection plan as the malware that the Lazarus group employed beforehand in assaults on cryptocurrency organizations, citing overlaps in the malware naming plan and debugging messages, and the use of Security Help Supplier as a persistence system.
The development is the most up-to-date in a prolonged record of attacks capitalizing on the coronavirus pandemic — a pattern noticed in several phishing lures and malware strategies during the very last year. North Korean hackers are alleged to have targeted pharma corporations in India, France, Canada, and the United kingdom-based AstraZeneca.
Found this article exciting? Abide by THN on Fb, Twitter and LinkedIn to study far more exclusive material we put up.