The North Korean threat actor known as Lazarus Group has been spotted exploiting flaws in unnamed software to gain access to a South Korean finance firm twice last year. The news comes from security researchers at Asec, who published an advisory about the attacks on Tuesday.
The company recorded the first of the attacks in May 2022, while the second occurred in October of the same year. Both operations reportedly relied on the same zero-day vulnerability.
“During the infiltration in May 2022, the affected company was using a vulnerable version of a certificate program that was commonly used by public institutions and universities,” reads the Asec advisory.
“After the incident, they updated all of their software to their latest versions. However, the Lazarus group used the software’s zero-day vulnerability to carry out their infiltration this time.”
Asec said that, after discovering the flaw, it disclosed it to the Korea Internet & Security Agency (KISA).
“Since the vulnerability has not been fully verified yet and a software patch has not been released, we will be omitting the manufacturer and software from this post,” Asec wrote.
From a technical standpoint, the threat actors used a Bring Your Own Vulnerable Driver (BYOVD) method to exploit the software’s vulnerable driver kernel modules and disable security products on infected machines.
“Additionally, they would perform anti-forensic techniques to hide their malicious behaviors by either changing file names before deleting them or modifying timestamps,” explained Asec.
More generally, the security researchers noted that while the certificate software in question is commonly used in Korea, it does not feature auto-updates.
“Since these types of software are not updated automatically, they must be manually patched to the latest version or deleted if unused.”
Further, as the victim company was re-infiltrated by the same hacker group using a similar method, Asec recommended specific guidelines for firms to defend against similar attacks.
“Instead of taking only post-attack measures, continuous monitoring is required to prevent recurrences.”
The Asec advisory comes weeks after Eset researchers linked a payload of the Wslink downloader named WinorDLL64 to Lazarus Group threat actors.