Advanced persistent threat actors continuously advance their ways of working. While some choose to remain consistent in their strategy, others adopt new techniques, tactics and procedures. In Q3, Kaspersky’s researchers witnessed Lazarus, a highly prolific advanced threat actor, developing supply chain attack capabilities and using their multi-platform MATA framework for cyber-espionage goals. This and other APT trends from across the world are revealed in Kaspersky’s latest quarterly threat intelligence summary.
Lazarus is one of the world’s most active threat actors and has been active since at least 2009. This APT group has been behind large-scale cyber-espionage and ransomware campaigns and has been spotted attacking the defense industry and the cryptocurrency market. Having a variety of advanced tools at their disposal, they seem to have chosen to apply them to new goals.
In June 2021, Kaspersky researchers observed the Lazarus group attacking the defense industry using the MATA malware framework, which can target three operating systems – Windows, Linux and macOS. Historically, Lazarus has used MATA to attack various industries for cybercrime purposes, such as stealing customer databases and spreading ransomware. However, this time our researchers tracked Lazarus using MATA for cyber-espionage purposes. The actor delivered a Trojanized version of an application known to be used by their victim of choice – a well-known Lazarus characteristic. Notably, this is not the first time the Lazarus group has attacked the defense industry: their previous ThreatNeedle campaign was carried out in a similar fashion in mid-2020.
Lazarus has also been spotted building supply chain attack capabilities with an updated DeathNote cluster, which consists of a slightly updated variant of BLINDINGCAN, malware previously reported by the US Cybersecurity and Infrastructure Security Agency (CISA). Kaspersky researchers discovered campaigns targeting a South Korean think-tank and an IT asset monitoring solution vendor. In the first case discovered by Kaspersky researchers, Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload; in the second case, the target was a company developing asset monitoring solutions in Latvia, an atypical victim for Lazarus. As part of the infection chain, Lazarus used a downloader named “Racket” which they signed using a stolen certificate. The actor compromised vulnerable web servers and uploaded several scripts to filter and control the malicious implants on successfully breached machines.
“These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks. This APT group is not the only one seen using supply chain attacks. In the past quarter we have also tracked such attacks carried out by SmudgeX and BountyGlad. When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization –something we saw clearly with the SolarWinds attack last year. With threat actors investing in such capabilities, we need to stay vigilant and focus defense efforts on that front,” comments Ariel Jungheit, senior security researcher, Global Research and Analysis Team, Kaspersky.
The Q3 APT trends report summarizes the findings of Kaspersky’s subscriber-only threat intelligence reports, which also include Indicators of Compromise (IoC) data and YARA rules to assist in forensics and malware hunting.