Tag Archive for: Lazarus

Dangerous Windows 10, 11, Server Zero-Day Exploited By Lazarus Hackers


The notorious and highly prolific North Korean Lazarus criminal hacking group has been exploiting an admin-to-kernel privilege escalation Windows security flaw using an updated version of its FudModule rootkit.

What Is CVE-2024-21338 And Why Is It So Dangerous?

In a detailed analysis of the exploit, Lazarus and the FudModule Rootkit, Jan Vojtěšek from the Avast Threat Labs explains how researchers found the exploit for this previously unknown zero-day vulnerability in the Windows appid.sys AppLocker driver.

Although the vulnerability itself, which is monitored as CVE-2024-21338, was reported to Microsoft by Avast in August 2023 along with a proof-of-concept exploit, it wasn’t patched until the February 13 Patch Tuesday updates were made available. However, when the updates were distributed, CVE-2024-21338 wasn’t listed as a zero-day with exploits in the wild.

“From the attacker’s perspective, crossing from admin to kernel opens a whole new realm of possibilities,” Vojtěšek says. “With kernel-level access, an attacker might disrupt security software, conceal indicators of infection (including files, network activity, processes,) disable kernel-mode telemetry, turn off mitigations, and more.”

As for the FudModule rootkit, Vojtěšek says this represents “one of the most complex tools Lazarus holds in their arsenal.”

Microsoft Issued Fix As Part Of February Patch Tuesday

Microsoft has now published an updated security advisory recognizes this as a zero-day vulnerability.

Impacting various versions of Windows 10, Windows 11 and Windows Server, users are advised to check the updated security advisory and apply the patch if they have not already done so.

That Microsoft has now issued a patch for this vulnerability means, the Avast analysis says, that Lazarus’ offensive operations will undoubtedly be disrupted.

“While discovering an admin-to-kernel zero-day may not be as challenging as discovering a zero-day in a more attractive attack surface (such as standard user-to-kernel, or even sandbox-to-kernel),” Vojtěšek concludes, “we believe that finding…

Source…

North Korea’s Lazarus Group upgrades its main malware • The Register


The Lazarus Group, the cybercrime gang linked to the North Korean government, has been named as the perpetrator of an attack against a Spanish aerospace firm, using a dangerous new piece of malware.

Lazarus’s fingerprints were all over a recent attack on an unnamed Spanish aerospace firm, according to security shop ESET, which opined the incident mimics previous Lazarus campaigns that used nearly identical ingress tactics.

ESET asserts this attack bears hallmarks of the Lazarus campaign known as Operation Dream Job right down to the types of encryption used, which mirrors that used in a campaign offering fake jobs at Amazon.

Like those other campaigns, suspected Lazarus hackers used LinkedIn to contact employees at the unnamed Spanish firm. Posing as recruiters from Meta, the Lazarus operatives suggested downloading a pair of coding challenges. Those files were bundled with attack code that, when printed, triggered a payload and installed malware.

ESET asserts that the goal of the attacks, and other Dream Job breaches, was espionage. “Pilfering the know-how of an aerospace company is aligned with long-term goals manifested by Lazarus,” wrote ESET senior malware researcher Peter Kálnai.

The Lazarus Group activity has previously targeted numerous high-profile orgs, including others in aerospace, chemical manufacturing and other nationally critical industries. Lazarus has also pulled off a number of cryptocurrency heists and was named as being behind the Sony Pictures hack in 2015.

Lazarus’s dangerous new toolset

In previous attacks – including the Amazon Dream Job campaign – Lazarus used a remote access Trojan known as BlindingCan.

ESET’s Kálnai suggested this recent attack used an upgraded malware tool named “LightlessCan” that has support for 68 commands, although only 43 appear to be implemented.

ESET’s analysts believes LightlessCan is based on BlindingCan source code, as the order of shared commands is “preserved significantly, even though there may be differences in their indexing.”

LightlessCan adds mimicked Windows command functionality – the tool can mimic commands like ping, ipconfig, systeminfo, sc, net, and the like with a hardcoded “The…

Source…

Lazarus Group Exploits Critical Zoho ManageEngine Flaw to Deploy Stealthy QuiteRAT Malware


Aug 24, 2023THNCyber Attack / Hacking

Zoho ManageEngine Flaw

The North Korea-linked threat actor known as Lazarus Group has been observed exploiting a now-patched critical security flaw impacting Zoho ManageEngine ServiceDesk Plus to distribute a remote access trojan called such as QuiteRAT.

Targets include internet backbone infrastructure and healthcare entities in Europe and the U.S., cybersecurity company Cisco Talos said in a two-part analysis published today.

What’s more, a closer examination of the adversary’s recycled attack infrastructure in its cyber assaults on enterprises has led to the discovery of a new threat dubbed CollectionRAT.

The fact that the Lazarus Group continues to rely on the same tradecraft despite those components being well-documented over the years underscores the threat actor’s confidence in their operations, Talos pointed out.

QuiteRAT is said to be a successor to MagicRAT, itself a follow-up to TigerRAT, while CollectionRAT appears to share overlaps with EarlyRAT (aka Jupiter), an implant written in PureBasic with capabilities to run commands on the endpoint.

Cybersecurity

“QuiteRAT has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size is significantly smaller,” security researchers Asheer Malhotra, Vitor Ventura, and Jungsoo An said. “Both implants are built on the Qt framework and include capabilities such as arbitrary command execution.”

The use of the Qt framework is seen as an intentional effort on the part of the adversary to make analysis a lot more challenging as it “increases the complexity of the malware’s code.”

The activity, detected in early 2023, involved the exploitation of CVE-2022-47966, a mere five days after proof-of-concept (Poc) for the flaw emerged online, to directly deploy the QuiteRAT binary from a malicious URL.

QuiteRAT Malware

“QuiteRAT is clearly an evolution of MagicRAT,” the researchers said. “While MagicRAT is a bigger, bulkier malware family averaging around 18 MB in size, QuiteRAT is a much much smaller implementation, averaging around 4 to 5 MB in size.”

Another crucial difference between the two is the lack of a built-in persistence mechanism in QuiteRAT, necessitating that a command be issued from the server…

Source…

Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach


Apr 22, 2023Ravie LakshmananSupply Chain / Cyber Threat

Critical Infra Hacking

Lazarus, the prolific North Korean hacking group behind the cascading supply chain attack targeting 3CX, also breached two critical infrastructure organizations in the power and energy sector and two other businesses involved in financial trading using the trojanized X_TRADER application.

The new findings, which come courtesy of Symantec’s Threat Hunter Team, confirm earlier suspicions that the X_TRADER application compromise affected more organizations than 3CX. The names of the organizations were not revealed.

Eric Chien, director of security response at Broadcom-owned Symantec, told The Hacker News in a statement that the attacks took place between September 2022 and November 2022.

“The impact from these infections is unknown at this time – more investigation is required and is on-going,” Chien said, adding it’s possible that there’s “likely more to this story and possibly even other packages that are trojanized.”

The development comes as Mandiant disclosed that the compromise of the 3CX desktop application software last month was facilitated by another software supply chain breach targeting X_TRADER in 2022, which an employee downloaded to their personal computer.

It’s currently unclear how UNC4736, a North Korean nexus actor, tampered with X_TRADER, a piece of trading software developed by a company named Trading Technologies. While the service was discontinued in April 2020, it was still available for download on the company’s website as recently as last year.

Mandiant’s investigation has revealed that the backdoor (dubbed VEILEDSIGNAL) injected into the corrupted X_TRADER app allowed the adversary to gain access to the employee’s computer and siphon their credentials, which were then used it to breach 3CX’s network, move laterally, and compromise the Windows and macOS build environments to insert malicious code.

The sprawling interlinked attack appears to have substantial overlap with previous North Korea-aligned groups and campaigns that have historically targeted cryptocurrency companies and conducted financially motivated attacks.

The Google Cloud subsidiary has assessed with “moderate confidence” that…

Source…