In a current espionage marketing campaign, the notorious North Korean risk group Lazarus focused a number of organizations within the software program, IT, finance, and telecommunications sectors in South Korea.
The risk actor mixed a watering gap assault technique with an exploit for a vulnerability in a file switch shopper that’s required in South Korea to finish sure monetary and administrative duties.
Researchers at Kasperky named the marketing campaign ‘Operation SyncHole’ and say that the exercise compromised not less than half a dozen organizations between November 2024 and February 2025.
“We recognized not less than six software program, IT, monetary, semiconductor manufacturing and telecommunication organizations in South Korea that fell sufferer to “Operation SyncHole,” Kasperky notes in a report.
Supply: Kaspersky
“Nevertheless, we’re assured that there are various extra affected organizations throughout a broader vary of industries, given the recognition of the software program exploited by Lazarus on this marketing campaign,” the researchers added.
In response to Kaspersky, Lazarus hackers used an exploit that was recognized by the seller on the time of the investigation, but it surely had been leveraged earlier than in different assaults.
Goal choice
The assault began with targets visiting legit South Korean media portals that Lazarus had compromised with server-side scripts for profiling guests and redirecting legitimate targets to malicious domains.
Within the incidents analyzed by Kaspersky, victims are redirected to websites that mimick software program distributors, such because the distributor of Cross EX – a software that allows South Koreans to make use of safety software program in varied internet browsers for on-line banking and interactions with authorities web sites.
“Though the precise methodology by which Cross EX was exploited to ship malware stays unclear, we consider that the attackers escalated their privileges throughout the exploitation course of as we confirmed the method was executed with excessive integrity stage typically,” defined Kaspersky.
Supply: Kaspersky
The researchers say {that a} malicious JavaScript on the faux web site exploits the Cross EX software program to ship malware.
Though Kaspersky didn’t discover the precise exploitation methodology used, the researchers “consider that the attackers escalated their privileges throughout the exploitation course of.”
Moreover, “based on a current safety advisory posted on the KrCERT web site, there seem like just lately patched vulnerabilities in Cross EX, which had been addressed throughout the timeframe of our analysis,” Kaspersky’s report notes.
The exploit launches the legit ‘SyncHost.exe’ course of and injects shellcode in it to load the ‘ThreatNeedle’ backdoor, which may execute 37 instructions on the contaminated host.
Supply: Kaspersky
Kaspersky noticed a number of an infection chains throughout the six confirmed victims, which differ in earlier and later phases of the assault, solely the preliminary an infection being the widespread floor.
Within the first part, ThreatNeedle was used to deploy ‘LPEClient’ for system profiling, the ‘wAgent’ or ‘Agamemnon’ malware downloaders, and the ‘Innorix Abuser’ software for lateral motion.
Kaspersky notes that Innorix Abuser exploited a vulnerability within the Innorix Agent file switch resolution model 9.2.18.496 and addressed in the newest model of the software program.
In some instances, ThreatNeedle wasn’t used in any respect, with Lazarus as an alternative utilizing the ‘SIGNBT’ implant to deploy the ‘Copperhedge’ backdoor used for inner reconnaissance.
Supply: Kaspersky
Primarily based on the tooling utilized in Operation SyncHole assaults, Kaspersky was in a position to confidently attribute the compromises to the Lazarus hacker group backed by the North Korean authorities.
Further clues pointing to the risk actor had been the working hours/obvious timezone together with methods, ways, and procedures (TTPs) particular to Lazarus.
Primarily based on the current malware samples utilized in Operation SyncHole, Kaspersky noticed that Lazarus is shifting in direction of light-weight and modular instruments which can be each stealthier and extra configurable.
The cybersecurity agency says it has communicated its findings to the Korea Web & Safety Company (KrCERT/CC) and confirmed that patches have been launched for the software program exploited on this marketing campaign.
Through the assault evaluation, Kaspersky researchers additionally discovered a non-exploited zero-day flaw (KVE-2024-0014) in Innorix Agent variations 9.2.18.001 by 9.2.18.538, which allowed arbitrary file downloads.
The researchers reported the safety problem responsibly by the Korea Web & Safety Company (KrCERT) and the seller addressed it in an replace final month.
