SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Why the Lazarus group poses a massive threat to businesses
Fri, 21st Sep 2018
FYI, this story is more than a year old

Kaspersky Lab revealed that heightened cyberheist activity by the notorious Lazarus group will give rise to more fake supply chain attacks to deliver ever stealthier infections.

The cybergang has also been discovered to have reinforced its financial attack portfolio with malware targeting the MacOS platform.

Kaspersky senior researcher Seongsu Park says, “We have observed how the Lazarus group has constantly evolved--- from waging cyber espionage campaigns worldwide to financial attacks against major banks. Last year, we warned that they are not after your data anymore.

“And indeed, they aren't. These state-backed attackers are now ramping up the sophistication of their attacks and widening their reach to steal more money and trick the cybersecurity industry.

Kaspersky Lab researchers have analyzed the forensic details of the new malicious operations of the APT group, which at first glance looked like a supply chain attack.

Dubbed AppleJeus, the attack compromised users through the Trojanized trading application, Celas Trade Pro, developed by a legitimate company named Celas Limited.

Being Trojanized means infected by a Trojan, a type of malware often disguised as legitimate software.

Once activated, Trojans enable cybercriminals to spy on users, steal sensitive data, and gain backdoor access to systems.

Researchers found evidence that the heist against South Korea's Cryptocurrency Exchange CoinIS, which lost almost US$2 million, was a malicious operation by the Lazarus group. Kaspersky Lab's researcher believes that this cybergang targeted the online wallet of CoinIS's HTA (Home Trading Application) program user via this supply chain attack.

After this, these infamous hackers had to step up their game by using a more sophisticated strategy—faking supply chain attacks to steal cryptocurrency.

Researchers looked into the developer of the Trojanized trading application and found out that while the Celas LLC company possesses valid SSL certificate for signing its software and legitimate-looking registration records for the domain, the address registered in the certificate's information leads to false locations, at least based on the publicly available information retrieved during the investigation.

The high-profile APT group has also developed a reconnaissance-module malware with almost the same capabilities when deployed into Windows software or a MacOS. This type of malware evaluates first if a device is worth attacking, before infecting it with a Trojan known as Fallchill in the form of a software update.

This old but reliable Trojan is another known tool associated with Lazarus.

“With major attacks up its sleeves --- such as the Bangladesh Bank heist and the WannaCry ransomware, to name a few, the Lazarus group is like a constant presence in the world of cybersecurity and it is getting quite adept at hiding and spreading its evil schemes.

“The extensive effort it exerts to create malware for the supposedly safer MacOS environment, and the intricate details needed to create a legitimate-looking application and software company, prove it is far from stopping. There are more attacks to come, and we had better be ready because it won't get any easier,” warns Park.

To boost the defences of consumer devices and company networks from attacks like AppleJeus, Kaspersky Lab suggests being more prudent when choosing third-party vendors. The global cybersecurity company also calls for more caution when trusting legitimate-looking software applications, certificates, and developers.