North Korea’s Lazarus Attacks on Coronavirus-related Data

North Korean security hacking specialists have found signs of the Lazarus group. In the organizations linked to Corona 19 this time. In order to achieve financial objectives in general, Lazarus is known to launch attacks, but recently it has shown a deep interest in corona-related knowledge.

In late September, security firm Kaspersky said, “A Lazarus attack targeting a pharmaceutical company was discovered.” We also know that Lazarus targeted the government department responsible for corona-related response while researching this case. I did so. Kaspersky was very certain that they were the same Lazarus act, but these two attacks took place somewhat differently, and the methods employed in the attacks were different.

Abs 2019-nCoV RNA virus – 3d rendered image on black background. Viral Infection concept. MERS-CoV, SARS-CoV, ТОРС, 2019-nCoV, Wuhan Coronavirus. Hologram SEM view.

An attack occurred on October 27 in the case of one of the medical institutions listed, and two Windows servers were hacked. It has yet to identify the path of initial penetration. In an undisclosed manner, the attackers infiltrated the registry and then planted a high-end cluster of malware dubbed wAgent. This malware only operates in memory, and extra payloads from remote servers can still be retrieved and mounted. W was run by attackers. Agent on the computer of the victim and downloaded additional payloads to ensure persistence of the attack first.

It is said that the final payload is downloaded from the remote server and loaded into the memory of the victim’s device after a continuous attack is created. Since the aim of Lazarus is to collect data, it is assumed that the final payload will be a high-end backdoor with the feature of data theft. This form of attack is said to be the same as when crypto-currency exchanges were previously targeted by Lazarus.

The process of naming malware is often claimed to be close to that of the past Lazarus operation.

In a targeted attack against pharmaceutical firms on September 25th, a malware called Bookcode was used. When assaulting tech firms in Korea, the Lazarus Community has expertise using bookcodes. The intention at the time was to dig up the software’s source code information. The Lazarus Community, as revealed so far, is the only one that uses malware for bookcodes.

What the two attacks have in common is that the corona vaccine is strongly linked to the patients. Inside these two organisations, Kaspersky detected traces of stealing data from the networks and finding that there were acts such as inspecting and scanning the status of network links using Windows-built commands. I also found a configuration file containing C&C server details. It turns out that these servers are all based in Korea. It was used by attacking servers in Korea during an offensive.

Ultimately, it can be seen as an incident of how much Lazarus is hungry for corona-related knowledge. It is understood that attacks are primarily targeted at achieving financial goals when it comes to Lazarus, but it is Lazarus’ true capacity to be able to adjust dynamically depending on the situation. There are the sabotage gangs that used to be, and now they are also attacking Corona.” This is the explanation of Kaspersky.”

“Currently, organizations that are engaged in various activities, such as conducting research or responding to Corona, should be particularly cautious of cyber attacks.” Kaspersky also suggested.