N. Korean Lazarus Group Targets Software Vendors Using Known Flaws

Oct 27, 2023NewsroomCyber ​​Attack / Malware

N. Korean Lazarus Group

The North Korea-aligned Lazarus group Alleged to be behind a new campaign in which an unnamed software vendor was compromised by exploiting known security flaws in another high-profile software.

The series of attacks, according to Kaspersky, ended with the deployment of malware families such as SIGNBT and LPEClient, a known hacking tool used by the threat actor to profile the victim and payload delivery.

“The adversary showed a high level of sophistication, used advanced evasion techniques and introduced SIGNBT malware for victim control,” security researcher Seongsu Park SAYS. “The SIGNBT malware used in this attack uses a different infection chain and sophisticated techniques.”

The Russian cybersecurity vendor said that the company that developed the exploited software has been the victim of Lazarus attacks several times, which appeared to attempt to steal source code or poison the software supply chain, as in the case of 3CX supply chain attack.


The Lazarus Group “continues to exploit vulnerabilities in the company’s software while targeting other software makers,” Park added. As part of the latest activity, several victims are said to have been selected in mid-July 2023.

The victims, each company, were targeted by a legitimate security software designed to encrypt web communications using digital certificates. The name of the software was not disclosed and the exact mechanism by which the software was used to weaponize the distribution of SIGNBT remains unknown.

Besides relying on various tactics to build and maintain the integrity of compromised systems, the attack chains use an in-memory loader that acts as a launching pad for the SIGNBT malware.

N. Korean Lazarus Group

The main function of SIGNBT is to establish contact with a remote server and obtain additional commands for the execution of the infected host. The malware is so named because of its use of distinctive strings with the prefix “SIGNBT” in HTTP-based command-and-control (C2) communication –

  • SIGNBTLG, for initial connection
  • SIGNBTKE, for collecting system metadata when receiving a SUCCESS message from the C2 server
  • SIGNBTGC, for taking commands
  • SIGNBTFI, for communication failure
  • SIGNBTSR, for successful communication

The Windows backdoor, on the other hand, is equipped with many capabilities to control the victim’s system. This includes process enumeration, file and directory operations, and the deployment of payloads such as LPEClient and other credential-throwing tools.

Kaspersky said it identified at least three different Lazarus campaigns in 2023 using different entry vectors and infection methods, but often relied on the LPEClient malware to deliver the final stage of the malware.


One such campaign paved the way for an implant codenamed Gopuram, which was used in cyber attacks targeting cryptocurrency companies by using a trojanized version of 3CX voice and video conferencing. software.

The latest findings are just the latest example of cyber operations linked to North Korea, plus a testament to the Lazarus Group’s ever-evolving and expanding arsenal of tools, tactics, and techniques.

“The Lazarus Group remains an extremely active and versatile threat actor in today’s cybersecurity landscape,” Park said.

“The threat actor demonstrates a deep understanding of IT environments, refining their tactics to include exploiting high-profile software vulnerabilities.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment