At least six organizations in South Korea have been targeted by the prolific North Korea-linked Lazarus Group as part of a campaign dubbed Operation SyncHole.
The activity targeted South Korea’s software, IT, financial, semiconductor manufacturing, and telecommunications industries, according to a report from Kaspersky published today. The earliest evidence of compromise was first detected in November 2024.
The campaign involved a “sophisticated combination of a watering hole strategy and vulnerability exploitation within South Korean software,” security researchers Sojun Ryu and Vasily Berdnikov said. “A one-day vulnerability in Innorix Agent was also used for lateral movement.”
The attacks have been observed paving the way for variants of known Lazarus tools such as ThreatNeedle, AGAMEMNON, wAgent, SIGNBT, and COPPERHEDGE.
What makes these intrusions particularly effective is the likely exploitation of a security vulnerability in Cross EX, a legitimate software prevalent in South Korea to enable the use of security software in online banking and government websites to support anti-keylogging and certificate-based digital signatures.
“The Lazarus group shows a strong grasp of these specifics and is using a South Korea-targeted strategy that combines vulnerabilities in such software with watering hole attacks,” the Russian cybersecurity vendor said.
The exploitation of a security flaw in Innorix Agent for lateral movement is notable for the fact that a similar approach has also been adopted by the Andariel sub-cluster of the Lazarus Group in the past to deliver malware such as Volgmer and Andardoor.
The starting point of the latest wave of attacks is a watering hole attack, which activated the deployment of ThreatNeedle after targets visited various South Korean online media sites. Visitors who land on the sites are filtered using a server-side script prior to redirecting them to an adversary-controlled domain to serve the malware.
“We assess with medium confidence that the redirected site may have executed a malicious script, targeting a potential flaw in Cross EX installed on the target PC, and launching malware,” the researchers said. “The script then ultimately executed the legitimate SyncHost.exe and injected a shellcode that loaded a variant of ThreatNeedle into that process.”
The infection sequence has been observed adopting two phases, using ThreatNeedle and wAgent in the early stages and then SIGNBT and COPPERHEDGE for establishing persistence, conducting reconnaissance, and delivering credential dumping tools on the compromised hosts.
Also deployed are malware families such as LPEClient for victim profiling and payload delivery, and a downloader dubbed Agamemnon for downloading and executing additional payloads received from the command-and-control (C2) server, while simultaneously incorporating the Hell’s Gate technique to bypass security solutions during execution.
One payload downloaded by Agamemnon is a tool designed to carry out lateral movement by exploiting a security flaw in the Innorix Agent file transfer tool. Kaspersky said its investigation unearthed an additional arbitrary file download zero-day vulnerability in Innorix Agent that has since been patched by the developers.
“The Lazarus group’s specialized attacks targeting supply chains in South Korea are expected to continue in the future,” Kaspersky said.
“The attackers are also making efforts to minimize detection by developing new malware or enhancing existing malware. In particular, they introduce enhancements to the communication with the C2, command structure, and the way they send and receive data.”
