In a current espionage marketing campaign, the notorious North Korean menace group Lazarus focused a number of organizations within the software program, IT, finance, and telecommunications sectors in South Korea.
The menace actor mixed a watering gap assault technique with an exploit for a vulnerability in a file switch consumer that’s required in South Korea to finish sure monetary and administrative duties.
Researchers at Kasperky named the marketing campaign ‘Operation SyncHole’ and say that the exercise compromised a minimum of half a dozen organizations between November 2024 and February 2025.
“We recognized a minimum of six software program, IT, monetary, semiconductor manufacturing and telecommunication organizations in South Korea that fell sufferer to “Operation SyncHole,” Kasperky notes in a report.
Supply: Kaspersky
“Nevertheless, we’re assured that there are a lot of extra affected organizations throughout a broader vary of industries, given the recognition of the software program exploited by Lazarus on this marketing campaign,” the researchers added.
In keeping with Kaspersky, Lazarus hackers used an exploit that was recognized by the seller on the time of the investigation, however it had been leveraged earlier than in different assaults.
Goal choice
The assault began with targets visiting reliable South Korean media portals that Lazarus had compromised with server-side scripts for profiling guests and redirecting legitimate targets to malicious domains.
Within the incidents analyzed by Kaspersky, victims are redirected to websites that mimick software program distributors, such because the distributor of Cross EX – a software that allows South Koreans to make use of security software program in numerous internet browsers for on-line banking and interactions with authorities web sites.
“Though the precise methodology by which Cross EX was exploited to ship malware stays unclear, we consider that the attackers escalated their privileges throughout the exploitation course of as we confirmed the method was executed with excessive integrity degree most often,” defined Kaspersky.
Supply: Kaspersky
The researchers say {that a} malicious JavaScript on the pretend web site exploits the Cross EX software program to ship malware.
Though Kaspersky didn’t discover the precise exploitation methodology used, the researchers “consider that the attackers escalated their privileges throughout the exploitation course of.”
Moreover, “in accordance with a current security advisory posted on the KrCERT web site, there seem like just lately patched vulnerabilities in Cross EX, which have been addressed throughout the timeframe of our analysis,” Kaspersky’s report notes.
The exploit launches the reliable ‘SyncHost.exe’ course of and injects shellcode in it to load the ‘ThreatNeedle’ backdoor, which may execute 37 instructions on the contaminated host.
Supply: Kaspersky
Kaspersky noticed a number of an infection chains throughout the six confirmed victims, which differ in earlier and later phases of the assault, solely the preliminary an infection being the widespread floor.
Within the first part, ThreatNeedle was used to deploy ‘LPEClient’ for system profiling, the ‘wAgent’ or ‘Agamemnon’ malware downloaders, and the ‘Innorix Abuser’ software for lateral motion.
Kaspersky notes that Innorix Abuser exploited a vulnerability within the Innorix Agent file switch answer model 9.2.18.496 and addressed in the most recent model of the software program.
In some circumstances, ThreatNeedle wasn’t used in any respect, with Lazarus as a substitute utilizing the ‘SIGNBT’ implant to deploy the ‘Copperhedge’ backdoor used for inner reconnaissance.
Supply: Kaspersky
Primarily based on the tooling utilized in Operation SyncHole assaults, Kaspersky was capable of confidently attribute the compromises to the Lazarus hacker group backed by the North Korean authorities.
Further clues pointing to the menace actor have been the working hours/obvious timezone together with methods, techniques, and procedures (TTPs) particular to Lazarus.
Primarily based on the current malware samples utilized in Operation SyncHole, Kaspersky noticed that Lazarus is transferring in the direction of light-weight and modular instruments which are each stealthier and extra configurable.
The cybersecurity agency says it has communicated its findings to the Korea Web & Safety Company (KrCERT/CC) and confirmed that patches have been launched for the software program exploited on this marketing campaign.
Through the assault evaluation, Kaspersky researchers additionally discovered a non-exploited zero-day flaw (KVE-2024-0014) in Innorix Agent variations 9.2.18.001 by way of 9.2.18.538, which allowed arbitrary file downloads.
The researchers reported the security problem responsibly by way of the Korea Web & Safety Company (KrCERT) and the seller addressed it in an replace final month.
