Unveiling New Cyber Threats: Lazarus and Kimsuky’s Evolving Tactics
A collaborative investigation by Hunt.io and the Acronis Threat Research Unit has recently exposed a vast network of cyber infrastructure operated by North Korean state-sponsored groups, notably Lazarus and Kimsuky. This research sheds light on the sophisticated methods these groups employ to maintain persistent access and coordinate attacks on a global scale.
Discovery of Advanced Malware Variants
One of the significant findings is a new Linux variant of the Badcall backdoor, a malware family previously associated with the 3CX supply chain attack. This updated version boasts enhanced logging capabilities, recording timestamped entries to `/tmp/sslvpn.log` with numeric codes that monitor malware operations. Such logging mechanisms enable attackers to confirm successful execution and oversee behavior during intrusions. Notably, this variant was found on infrastructure linked to Lazarus campaigns, indicating ongoing malware development by the group.
Consistent Operational Patterns
The investigation revealed that both Lazarus and Kimsuky exhibit consistent operational patterns. They utilize open directories as staging points, repeatedly deploying credential theft kits and FRP tunnels on identical ports across multiple VPS hosts. The reuse of certificates connecting separate clusters to the same operators creates a detectable footprint, facilitating tracking through infrastructure analysis rather than solely relying on payload examination.
Active Infrastructure Nodes
Several active infrastructure nodes were identified:
– Credential-Theft Toolkit: A server at 207.254.22.248:8800 exposed a 112 MB toolkit containing tools like MailPassView, WebBrowserPassView, ChromePass, and rclone binaries for data exfiltration.
– Quasar RAT Environment: Another node at 149.28.139.62:8080 hosted a Quasar Remote Access Trojan (RAT) environment with 270 MB of tooling.
– Comprehensive Operational Data: The most significant discovery was at 154.216.177.215:8080, which exposed nearly 2 GB of operational data, including offensive security tools, browser password stealers, privilege-escalation binaries, and development artifacts.
These open directories serve as critical staging points for rapid deployment during intrusions.
FRP Tunneling Nodes
The researchers identified eight FRP tunneling nodes operating on port 9999 across Chinese and APAC-region VPS hosts, each serving identical 10 MB binaries. This uniformity suggests automated provisioning rather than manual configuration. These nodes act as redirectors between compromised hosts and operator-controlled servers, ensuring reliable access even when traditional command-and-control channels are blocked.
Certificate Analysis and Infrastructure Clusters
Certificate analysis linked 12 IP addresses to the subject `hwc-hwp-7779700`, with 10 directly associated with Lazarus malware on port 443. This certificate reuse exposes entire infrastructure clusters before they become active in campaigns, providing valuable insights for preemptive defense measures.
Infection Mechanism of Badcall Variant
The infection mechanism of the Badcall variant begins with processing command-line arguments. It checks for a process ID argument, simulates a kill command via its FakeCmd function, and then daemonizes itself to commence primary operations. The logging function writes timestamped entries, aiding attackers in monitoring the malware’s activities.
Implications and Recommendations
The exposure of this extensive infrastructure underscores the evolving sophistication of North Korean state-sponsored cyber operations. Organizations are urged to enhance their cybersecurity measures by:
– Regularly Updating Systems: Ensure all software and systems are up-to-date to mitigate vulnerabilities.
– Implementing Advanced Threat Detection: Utilize advanced threat detection technologies capable of identifying and responding to sophisticated malware.
– Conducting Regular Security Audits: Perform regular security audits to identify and address potential weaknesses in the infrastructure.
– Educating Employees: Provide ongoing education to employees about phishing tactics and other social engineering methods used by threat actors.
By adopting these measures, organizations can better defend against the persistent and evolving threats posed by groups like Lazarus and Kimsuky.
