Full Report
In a recent espionage campaign, the infamous North Korean threat group Lazarus targeted multiple organizations in the software, IT, finance, and telecommunications sectors in South Korea. [...]
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
**Attribution:** Threat actor confidently attributed to the **Lazarus hacker group**, which is backed by the **North Korean government**.
**Aliases:** Operation SyncHole (Name given to the observed campaign activity).
## Activity Summary
Lazarus recently targeted and breached **six companies** using watering hole style attacks. The breaches involved exploiting recently patched vulnerabilities in **Cross EX** software and leveraging a flaw in the **Innorix Agent** file transfer solution (version 9.2.18.496). The attacks show a trend where Lazarus is utilizing **lightweight and modular tools** that are stealthier and more configurable.
## Tactics, Techniques & Procedures
- **Initial Infection:** Utilizing watering hole attacks (implied by context, though specific exploitation details are for later stages). Exploitation of recently patched vulnerabilities in **Cross EX** software.
- **Process Injection:** Launching the legitimate process **`SyncHost.exe`** and injecting shellcode into it.
- **Backdoor Deployment:** Loading the **`ThreatNeedle`** backdoor, capable of executing 37 commands.
- **System Profiling:** Deployment of **`LPEClient`** for system profiling.
- **Downloaders:** Use of **`wAgent`** or **`Agamemnon`** malware downloaders.
- **Lateral Movement:** Utilizing the **`Innorix Abuser`** tool, which exploited a vulnerability in Innorix Agent file transfer solution version 9.2.18.496.
- **Alternate Chain:** In some cases, deploying the **`SIGNBT`** implant to install the **`Copperhedge`** backdoor for internal reconnaissance, bypassing the use of `ThreatNeedle`.
- **Working Hours/Timezone:** Activity patterns align with known Lazarus characteristics.
- **MITRE ATT&CK IDs:** Not explicitly provided in the text.
## Targeting
**Sectors:** Implied to be organizations using software like Cross EX and Innorix Agent. Specific sectors are not detailed in the provided excerpt beyond the general description of breaching six companies.
**Geography:** Not explicitly stated, but association with KrCERT suggests potential focus on South Korean entities or entities utilizing South Korean software products.
**Victims:** Six companies were confirmed victims of the initial breach phase. Specific names are not disclosed.
*Noteworthy finding: Researchers also identified a *non-exploited* zero-day flaw in Innorix Agent versions 9.2.18.001 through 9.2.18.538 (KVE-2024-0014).*
## Tools & Infrastructure
- **Malware Families Used:**
- **`ThreatNeedle`** (Backdoor)
- **`SIGNBT`** (Implant)
- **`Copperhedge`** (Backdoor)
- **`LPEClient`** (System Profiling Tool)
- **`wAgent`** (Downloader)
- **`Agamemnon`** (Downloader)
- **Infrastructure (C2, domains, IPs):** Not detailed or mentioned in the provided text snippet.
## Implications
The Lazarus Group continues to actively exploit recently patched vulnerabilities in specific software products, indicating they are actively monitoring security advisories (like those from KrCERT). Their shift towards **lightweight, modular malware** suggests an organizational effort to increase operational stealth and adaptability during intrusion campaigns. The use of multiple infection chains tailored to victims suggests sophisticated planning.
## Mitigations
- Immediately patch vulnerable versions of **Cross EX** software.
- Immediately patch the **Innorix Agent** file transfer solution, specifically addressing vulnerabilities related to versions exploited ($9.2.18.496$) and the reported zero-day ($KVE-2024-0014$).
- Enhancing monitoring for process injection techniques targeting legitimate processes like **`SyncHost.exe`**.
- Reviewing network traffic for command execution associated with known Lazarus toolsets if initial exploitation occurs.