Lazarus Hits 6 South Korean Firms with Cross EX, Innorix Flaws and ThreatNeedle Malware

At least six organizations in South Korea have been targeted by a well-known hacker group called Lazarus Group, linked to North Korea. This set of attacks is known as Operation SyncHole.

These attacks focused on several important industries in South Korea: software, information technology (IT), finance, semiconductor manufacturing, and telecommunications. This info comes from a report by Kaspersky released today. The first signs of trouble showed up in November 2024.

The hackers used a smart mix of a method called a "watering hole" attack and weaknesses in South Korean software. Security experts Sojun Ryu and Vasily Berdnikov mentioned this. They also used a flaw in a program called Innorix Agent to move from one part of the network to another.

Lazarus Group used this attack to try different tools like ThreatNeedle, AGAMEMNON, wAgent, SIGNBT, and COPPERHEDGE, which they have used before.

These attacks are very effective largely because they break into a security vulnerability in software called Cross EX. This software is common in South Korea because it’s used for online banking and government websites to prevent keylogging and support digital signatures.

Kaspersky stated, "The Lazarus Group really understands how South Korean software works. They use a strategy combining software weaknesses with watering hole attacks."

Using the weakness in Innorix Agent to move through computer systems is notable because another part of the Lazarus Group, known as Andariel, has used a similar strategy to spread malware like Volgmer and Andardoor before.

The attacks began with a watering hole attack. This attack starts the deployment of ThreatNeedle after people visited certain South Korean media websites. When people visit these sites, they are redirected using special scripts to a hacker-controlled site, where malware is then installed on their computers.

The researchers stated, "We think that the redirected site probably ran a harmful script, aiming to exploit possible problems in Cross EX on the victim's computer, leading to malware being launched." The script eventually runs a program called SyncHost.exe, which injects code to load a version of ThreatNeedle into that process.

The infection process occurs in two phases. Initially, ThreatNeedle and wAgent are used. Later, SIGNBT and COPPERHEDGE come into play to keep access, gather information, and capture login details from the affected systems.

Other malware families identified include LPEClient for examining the victim and delivering more harmful programs and a downloader called Agamemnon to bring in additional harmful software from the command-and-control (C2) server. Agamemnon uses a trick known as Hell's Gate to avoid detection during its operations.

One harmful tool downloaded by Agamemnon is designed to move through computer systems by exploiting a flaw in the Innorix Agent file transfer tool. Kaspersky discovered another unrelated file download flaw in Innorix Agent, which its developers have now fixed.

Kaspersky noted, "The specialized attacks by Lazarus Group focusing on supply chains in South Korea are expected to continue."

"The attackers are working to avoid detection by developing new harmful software or improving existing ones. They specifically enhance how they communicate with the C2 server, their command structure, and how they handle data."