North Korea-linked Lazarus APT group is now targeting also IT supply chain, researchers from Kaspersky Lab warns.

The APT group used a new variant of the BLINDINGCAN backdoor in attacks aimed at a Latvian IT vendor and a South Korean think tank.

The nation-state actor used its multi-platform malware framework MATA framework.

Kaspersky experts reported that the Lazarus APT is building supply-chain attack capabilities with an updated Death Note malware cluster that is an updated variant of the BlindingCan RAT. The use of the BlindingCan RAT was first documented by the U.S. CISA in August 2020. The BlindingCan was employed in attacks on US and foreign companies operating in the military defense and aerospace sectors.

Advertisements

The BLINDINGCAN RAT implements the following built-in functions-:

  • Retrieve information about all installed disks, including the disk type and the amount of free space on the disk
  • Get OS version information
  • Get Processor information
  • Get system name
  • Get local IP address information
  • Get the victim’s MAC address.
  • Create, start, and terminate a new process and its primary thread
  • Search, read, write, move, and execute files
  • Get and modify file or directory timestamps
  • Change the current directory for a process or file
  • Delete malware and artifacts associated with the malware from the infected system

The CISA MAR provided indicators of compromise (IoCs), Yara rules, and other technical info that could be used by system administrators to discover compromise systems within their networks.

“Our investigation revealed indications that point to Lazarus building supply-chain attack capabilities. In one case, we found that the infection chain stemmed from legitimate South Korean security software executing a malicious payload; and in the second case, the target was a company developing asset monitoring solutions in Latvia, an atypical victim for Lazarus.” .

Kaspersky Report

This is the first IT supply chain attack conducted by Lazarus that was documented by Kaspersky researchers.

Advertisements

Indicators of Compromise

  • 0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6
  • 158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17
  • 586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e
  • 6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1
  • 7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971
  • d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9
  • 58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d
  • 7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd
  • 8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050
  • bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1
  • b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9 (iconcache.db)
  • d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5 (iconcache.db)