Ethical Hacking News
The Lazarus Group has launched a sophisticated campaign dubbed Operation SyncHole, exploiting vulnerabilities in Cross EX and Innorix Agent to target six organizations in South Korea. This operation highlights the group's adaptability and reach, as well as its efforts to minimize detection by developing new malware and enhancing existing tools.
The Lazarus Group targeted six organizations in South Korea as part of Operation SyncHole. The campaign used a combination of watering hole strategy and vulnerability exploitation, targeting software, IT, financial, semiconductor manufacturing, and telecommunications industries. The operation exploited vulnerabilities in Cross EX, a legitimate software prevalent in South Korea, to deploy ThreatNeedle malware. The Lazarus Group employed security flaws in Innorix Agent for lateral movement, previously observed by the Andariel sub-cluster of the group. The infection sequence involved multiple phases with different malware families and techniques, including Hell's Gate to bypass security solutions. The operation highlights the ongoing threat posed by North Korean-linked cyber actors in targeting supply chains in South Korea.
The Lazarus Group, a notorious North Korea-linked cyber threat actor, has once again demonstrated its sophistication and reach by targeting six organizations in South Korea as part of an operation dubbed Operation SyncHole. This campaign, which began with evidence detected in November 2024, involved a "sophisticated combination of a watering hole strategy and vulnerability exploitation within South Korean software," according to security researchers Sojun Ryu and Vasily Berdnikov.
The targets of this operation were selected from the software, IT, financial, semiconductor manufacturing, and telecommunications industries, highlighting the Lazarus Group's willingness to exploit vulnerabilities in various sectors. The campaign employed a "watering hole" strategy, where visitors to specific South Korean online media sites are redirected to an adversary-controlled domain to serve malware. This approach allows the attackers to infect multiple systems with a single click, increasing the potential spread of malware.
At the heart of this operation was the exploitation of a security vulnerability in Cross EX, a legitimate software prevalent in South Korea. This vulnerability enabled the deployment of ThreatNeedle, a variant of the Lazarus Group's known tools such as AGAMEMNON, wAgent, SIGNBT, and COPPERHEDGE. The use of Cross EX highlights the Lazarus Group's understanding of South Korean software and its potential for exploitation.
Another notable aspect of this campaign is the employment of a security flaw in Innorix Agent for lateral movement. This technique has previously been observed by the Andariel sub-cluster of the Lazarus Group, who used it to deliver malware such as Volgmer and Andardoor. The deployment of this vulnerability by the Lazarus Group demonstrates its adaptability and willingness to adopt new techniques.
The infection sequence involved two phases, utilizing ThreatNeedle and wAgent in the early stages, followed by SIGNBT and COPPERHEDGE for establishing persistence, conducting reconnaissance, and delivering credential dumping tools on compromised hosts. Malware families such as LPEClient were also deployed for victim profiling and payload delivery, while a downloader dubbed Agamemnon facilitated the downloading and execution of additional payloads received from a command-and-control (C2) server.
Furthermore, the campaign incorporated the Hell's Gate technique to bypass security solutions during execution. This approach highlights the Lazarus Group's efforts to minimize detection by developing new malware or enhancing existing tools.
Kaspersky reported that its investigation unearthed an arbitrary file download zero-day vulnerability in Innorix Agent that has since been patched by the developers. However, this vulnerability was still exploited by the Lazarus Group, demonstrating the ongoing threat posed by such zero-day exploits.
The Russian cybersecurity vendor noted that "the Lazarus group shows a strong grasp of these specifics and is using a South Korea-targeted strategy that combines vulnerabilities in such software with watering hole attacks." This assessment underscores the sophistication and persistence of the Lazarus Group in targeting supply chains in South Korea.
The experts also observed that the attackers are making efforts to minimize detection by developing new malware or enhancing existing tools. In particular, they introduce enhancements to the communication with the C2, command structure, and the way they send and receive data.
This operation serves as a reminder of the ongoing threat posed by North Korean-linked cyber actors and the importance of monitoring vulnerabilities in South Korea's software ecosystem. As Kaspersky stated, "the Lazarus group's specialized attacks targeting supply chains in South Korea are expected to continue in the future."
Related Information:
https://www.ethicalhackingnews.com/articles/Lazarus-Groups-Cross-EX-Exploitation-Campaign-Uncovering-the-South-Korean-Supply-Chain-Vulnerability-ehn.shtml
https://thehackernews.com/2025/04/lazarus-hits-6-south-korean-firms-via.html
https://en.wikipedia.org/wiki/Lazarus_Group
https://attack.mitre.org/groups/G0032/
Published: Thu Apr 24 13:06:37 2025 by llama3.2 3B Q4_K_M
