Lazarus-Associated Hackers Weaponize Open-Source Tools Against Several Countries

Written by

Threat actors associated with North Korea have been spotted weaponizing legitimate open–source software targeting employees in organizations across multiple industries.

The findings come from Microsoft Threat Intelligence Center (MSTIC), which published an advisory about the threat on Thursday.

According to the technical write–up, the attacks were executed by an actor Microsoft tracks as Zinc – more commonly known as the Lazarus Group.

The advisory suggests Zinc has targeted media, defense and aerospace, and IT services in the US, UK, India and Russia, successfully compromising numerous organizations.

“Beginning in June 2022, Zinc employed traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets,” Microsoft wrote.

“Upon successful connection, Zinc encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads.”

In terms of specific open–source software tools used for the attacks, the hackers would have weaponized PuTTY, KiTTY, TightVNC, Sumatra PDF Reader and muPDF/Subliminal Recording.

“The ongoing campaign related to the weaponized PuTTY was also reported by Mandiant earlier this month,” Microsoft said.

“Due to the wide use of the platforms and software that Zinc utilizes in this campaign, Zinc could pose a significant threat to individuals and organizations across multiple sectors and regions.”

In the advisory, Microsoft is providing hunting queries to help customers comprehensively search their environments for relevant indicators.

Still, according to Tom Kellermann, senior vice president of cyber strategy at Contrast Security, the attacks are worrying as they hint at an evolution of tactics from the hacking group.

“Lazarus is the A team of North Korean hacker crews. They have been elevating their game for a while,” Kellermann tells Infosecurity Magazine.

“This attack could become a perfect storm as rogue nation states and cybercrime cartels might adopt this kill chain, thus poisoning open–source software globally. Organizations must deploy intelligent runtime protection and immediately test any third–party open source code moving through their supply chains.” 

The attacks come days after security researchers at SentinelOne uncovered a variant of a campaign attributed to Lazarus using lures for job vacancies at cryptocurrency exchange platform Crypto.com to infect macOS users with malware.

What’s hot on Infosecurity Magazine?