Antivirus provider Kaspersky says it caught North Korean hackers trying to spread malware through a “high-profile” legitimate software meant to encrypt web communications.
Kaspersky did not name the software program, but it says the vendor behind the product “had previously fallen victim” to the North Korean hacking group “several times.”
“This recurring breach suggested a persistent and determined threat actor with the likely objective of stealing valuable source code or tampering with the software supply chain, and they continued to exploit vulnerabilities in the company’s software while targeting other software makers,” Kaspersky said in a Friday report.
The antivirus provider uncovered the threat in July when it noticed a series of attacks on several victims, which had been targeted “through legitimate security software designed to encrypt web communications using digital certificates,” it said.
(Credit: Kaspersky)Kaspersky then identified “post-exploitation activity within the processes of the legitimate software” that showed the presence of a malware program, which has been dubbed “SIGNBT.” The malicious code includes several backdoor functions to remotely tamper with a Windows PC and install additional malware capable of stealing passwords.
Kaspersky adds that the original software vendor that was compromised rolled out patches to fix the vulnerability the North Korean hackers were exploiting. But “organizations worldwide still used the flawed version of the software, providing an entry point."
The antivirus provider has linked the malware to notorious North Korean hacking group Lazarus by identifying similar tactics used between the two. This includes how SIGNBT was found installing another malicious payload, called LPEClient, which Kaspersky has also found targeting the defense and cryptocurrency industry.
(Credit: Kaspersky)The report arrives months after software vendor 3CX was exploited to circulate North Korean malware through the company’s desktop app. This allowed the hackers to stage a supply chain attack on unsuspecting customers, who relied on 3CX for VoIP calling. In response, 3CX developed a new desktop app to protect users from the threat. But it remains unclear if every user downloaded it or updated.
