North Korea Archives

Lazarus Exploits Open-Source Software and Infects it

cyberattack, data-stealing malware, Lazarus, North Korea, Ophtek, SecurityScorecardcyberattack, Lazarus, malware, North Korea, Ophtek, phishing, SecurityScorecardOphtek, LLC

Feb 2025

North Korean hackers from the Lazarus Group have launched a major cyberattack by cloning open-source software and infecting it with malware.

A recent cyberattack has found the North Korean hacking group Lazarus targeting software developers by modifying open-source tools to include malware. Open-source software, freely available for anyone to use or modify, has become a crucial part of software development. However, Lazarus exploited this understanding by injecting malicious code into genuine software. This led to numerous systems becoming compromised, particularly those used by developers in the Web3 and cryptocurrency industries.

Lazarus Attacks Open-Source Software

SecurityScorecard, a cybersecurity organization, discovered that Lazarus had carried out a supply-chain attack known as “Phantom Circuit.” Lazarus selected popular open-source projects to target and embedded malicious code into them. These compromised tools were then uploaded to code-sharing platforms such as GitLab, where developers soon downloaded and started using them.

Once executed, the compromised software set about installing data-stealing malware on the victims’ PCs. The malware’s main objective was harvesting sensitive data such as login credentials, authentication tokens, and other security information. This gave the threat actors full and unauthorized access to their targets’ accounts, allowing them to modify and steal digital assets.

Over 1,500 victims were affected, with the majority being located in Europe, India and Brazil. SecurityScorecard were keen to point out that many of the victims were software engineers, mostly working in cryptocurrency and blockchain technology. In particular, Lazarus targeted modified repositories which hosted Web3 development tools, authentication systems, and cryptocurrency software. These are all attractive targets for threat actors who are looking to make a quick buck through nefarious means and cause digital chaos to IT infrastructures.

How to Protect Yourself

Lazarus has committed numerous cyberattacks in the recent past, with Ophtek previously reporting on their attack on healthcare organizations in 2023. A powerful hacking group, Lazarus has the potential to create powerful and devastating malware. Accordingly, you need to make sure your IT defenses are secure against them and similar hacking groups.

Cybersecurity awareness, as ever, is key to protecting your digital assets, so make sure you follow these best security practices:

Verify Your Software Sources: always double-check where your software is coming from before you hit that download button. Stick to official developer websites and trusted repositories e.g. regularly updated GitHub projects. If a new tool appears out of nowhere or is uploaded by an unknown user, think twice before installing it. If in doubt, remember the golden advice: double check it with an IT professional.
Keep Your Security Software Updated: first of all, make sure you have antivirus and anti-malware software protecting your systems – these can be downloaded from companies such as AVG and Kaspersky. Secondly, as new cyber threats emerge every day, you need to keep your security software up to date to protect you from new malware. Regular updates will ensure you stay one step ahead of the threat actors.
Train Your Employees: Well-trained employees are your first line of defense against cyber threats. Regular cybersecurity training can help your staff recognize phishing attempts, avoid suspicious links, and practice safe browsing and downloading habits. By keeping your team trained and up to date, you can ensure employees stay aware of evolving threats, reducing the risk of security breaches.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

North Korean Hackers Launch New Durian Malware

Durian Malware, install updates, Kimsuky, malware, multi factor authentication, North Korea, Ophtek, spear phishingDurian Malware, install updates, Kimsuky, malware, multi-factor authentification, North Korea, Ophtek, spear phishingOphtek, LLC

Jun 2024

A North Korean hacking group has targeted two South Korean cryptocurrency companies with a new strain of malware dubbed Durian.

The relationship between North and South Korea has always been troubled, and this latest cyber-attack will do little to resolve these tensions. The attack itself uses a previously unseen malware variant known as Durian, which is coded in the Golang programming language. Both attacks occurred in the second half of 2023, with Kaspersky recently announcing them in their Q1 APT trends report.

While you may not run a cryptocurrency firm, or be a target of North Korea, it’s important to understand contemporary threats, so we’re going to look at Durian.

How Does Durian Work?

The exact attack method which Durian uses is currently unknown, but it appears to target software which is exclusively used in South Korea. It’s likely, therefore, that a vulnerability has been discovered, although no specific vulnerability has been identified yet. Regardless of the entry method, what is known is that Durian sets up backdoor functionality. This allows the threat actor to download further files, harvest data and files to external servers, and execute commands on the compromised servers.

Once Durian has a foothold within a target’s system, it starts downloading further malware such as Appleseed and LazyLoad, alongside genuine apps such as Chrome Remote Desktop. This makes Durian a particularly persistent threat and makes it a difficult piece of malware to combat.

It’s believed that the threat actor behind Durian is Kimsuky, a North Korean group who has been active since 2012. Kimsuky has been busy in recent times and appear focused on stealing data on behalf on North Korea. Notably, the usage of LazyLoad indicates that Kimsuky may also be partnering with another North Korean group known as Lazarus. LazyLoad has previously been deployed by Andariel, a splinter group with connections to the Lazarus Group.

Staying One Step Ahead of Durian

A specific fix against Durian hasn’t been announced, but this doesn’t mean your defenses are under immediate threat. Instead, by following the basic principles of cybersecurity, you can keep your IT infrastructure safe:

Always Install Updates: it’s suspected Durian is targeting specific software to establish itself on targeted systems, and this indicates that a vulnerability is being exploited with this software. Therefore, this acts as a worthy reminder on the importance of installing updates promptly. These updates can instantly plug security holes and keep your IT systems secure.
Be Aware of Spear-Phishing: Kimsuky is known for employing spear-phishing techniques so it’s vital your employees are educated on this threat. Typically, spear-phishing targets specific individuals within a company and attempts to deceive them into providing confidential information or direct access to internal systems.
Use Multi-Factor Authentication: if you want to add extra locks to your IT systems, then multi-factor authentication is the way forwards. Password breaches are common, but the use of multi-factor authentication minimizes the risk this poses. After entering a password, a unique code will be sent via SMS or through an authentication app which only the end user will have access to. Without this code, a threat actor will be unable to get any further with your password.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

Healthcare Organizations Targeted by new Lazarus Attack

Backup Strategies, Data Security, Lazarus, North Korea, Ophtek, Phishing, QuiteRATbackup, North Korea, Ophtek, phishing, QuiteRAT, security, updatesOphtek, LLC

Oct 2023

Healthcare organizations across the United States and Europe have recently found themselves targeted by Lazarus, the North Korean hacking group.

Lazarus, who are believed to have ties to the North Korean government, are well known in the world of cybersecurity. In 2022, Lazarus were rumored to have stolen a total of $1.7 billion worth of cryptocurrency across the year. So, yes, Lazarus is a force to be reckoned with. As their latest attack targets organizations rich in sensitive data, it’s important to understand their methods and determine the lessons that can be learned.

What Is Lazarus’ Latest Campaign?

At the heart of this new attack by Lazarus is the ManageEngine ServiceDesk. This management suite is used to help organizations manage their entire IT infrastructure. From networks and servers through to mobile devices and applications, ManageEngine helps make life easier for IT teams. It’s a highly popular management suite, with numerous Fortune 100 businesses implementing it. For healthcare organizations, it’s a crucial service which allows them to stay productive and support their IT systems.

However, as with all, applications, ManageEngine is not 100% secure. The CVE-2022-47966 vulnerability, which was discovered in January 2023, was first exploited by threat actors in February of the same year. This vulnerability allowed the deployment of QuiteRAT, a new and complex brand of malware. QuiteRAT let the threat actors steal data relating to the compromised device and, cleverly, allowed QuiteRAT to “sleep” in order to appear dormant and stay off the radars of security professionals.

Another part of the attack also involves a new strain of malware dubbed CollectionRAT, which has the ability to perform typical remote access trojan tasks such as executing commands on a compromised system. As with previous campaigns, this latest strike utilizes many of the trademark Lazarus tactics and innovations. For example, by using open-source tools to create CollectionRAT, the threat actors are able to launch their attacks more quickly and without raising the alarm immediately.

How Do You Protect Your Organization from Lazarus?

Naturally, the most obvious way to protect your IT infrastructure from Lazarus is to be prompt with installing software patches. Lazarus appears to have infiltrated these healthcare organizations due to a known vulnerability, so patching any holes within your IT systems is essential. Luckily, many updates, such as Windows, can be set to automatic and ensures that your applications are as secure as they can be.

Hacking groups, however, don’t rely solely on vulnerabilities to launch their attacks. In fact, they will deploy almost every technique you can think of to launch an attack. The best practices to stay safe from these are:

Create backups: when confronted with any form of malware, there’s a good chance that your business data will be at risk or being compromised or even permanently erased. Therefore, it’s important that your organization creates regular backups to preserve your data and productivity. One of the most comprehensive methods you should use is the 3-2-1 backup method.
Educate your staff on phishing: staff awareness of phishing is crucial due to the rising risk of phishing and social engineering attacks. Recognizing the telltale signs of a phishing email prevents the chances of data breaches and compromised credentials. This will result in a securer IT landscape for your organization and protect your networks and data.

For more ways to secure and optimize your business technology, contact your local IT professionals.

State-sponsored hacking remains a serious problem for PC users around the world, and the latest headline grabber – with links to North Korea – is EarlyRAT.

A remote access trojan (RAT) is nothing new in the world of cybercrime, with the earliest examples believed to have been released in the late 1980s. However, their impact has grown significantly over the last 30 years, and this means they need to be taken seriously. There’s a culture of evolution in the world of hacking and, as a result, new RATs are always more powerful than the previous generation. And that’s why the emergence of EarlyRAT has got so many IT professionals concerned.

What is a Remote Access Trojan?

You may not be familiar with the ins and outs of a RAT, so we’re going to take a second to explain what they are and why they are so dangerous. A RAT is a malicious software program designed to provide unauthorized remote access and control over a targeted PC. They tend to be disguised as genuine files – this is why RATs are often distributed through phishing emails – but are nothing short of digital chaos.

Once installed, a RAT allows attackers to gain control of the victim’s computer, and this is all carried out remotely. This allows the threat actors to steal sensitive information, monitor user activity, execute commands, and even activate the webcam or microphone to carry out surveillance. All of these dangers put the victim at risk of data theft and further cyber-attacks.

How Does EarlyRAT Work?

EarlyRAT was first detected by security experts at Kaspersky, who were analyzing a hacking campaign from 2022. The attack was made possible due to a flaw discovered in Log4j, a Java library used to log error messages generated by applications. This vulnerability was exploited by the Andariel hacking group, a team believed to be sponsored by North Korea. Once Log4j had been compromised, Andariel was able to download malware to the victims’ PCs.

Part of this initial attack also included a phishing campaign, and it was here that EarlyRAT was first detected. Phishing documents, once activated, would download EarlyRAT from servers well known for having connections to threat actors. EarlyRAT’s first objective was to start logging system information and, after this, it would begin downloading additional malware, affecting the productivity of infected machines and stealing user credentials.

Keeping Safe from EarlyRAT

It’s important that you protect your IT infrastructure and your data, so staying one step ahead of threats like EarlyRAT is vital. To achieve this, make sure you always practice the following:

Install ALL updates: EarlyRAT’s campaign is a fine example of why installing updates is essential. All it takes is one vulnerability for malware to spread through an IT system and steal huge amounts of data. Therefore, plugging any holes in your defenses should be a priority. And installing updates as soon as possible is the best way to achieve this.

Educate your staff: phishing campaigns, as EarlyRAT has demonstrated, can cause you a severe IT headache. With this in mind, it’s crucial that your staff are well educated on the dangers posed by phishing emails. If your employees can take that important step of stopping and thinking before opening an email, they could save your IT system significant down time.

Identify malicious websites: a large number of RATs are located on malicious websites, so it’s important that you know how to spot one of these. With this knowledge at your disposal, you will be able to not only identify a malicious website, but you’ll be able to realize a link is malicious before you even click it.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Category Archives: North Korea