South Korea’s National Cyber Security Center (NCSC) has warned that state-backed DPRK hackers have hijacked flaws in VPN software updates to deploy malware and breach networks.
The advisory links the activity to a nationwide industrial plant modernization plan announced by North Korean President Kim Jong-un in January 2023, which hackers believe is trying to steal trade secrets from South Korea. .
Two threat groups involved in this activity are Kumsuki (APT43) and Andariel (APT45), state-sponsored actors formerly associated with the notorious Lazarus group.
“The information community attributes these hacking activities to the Kimsuki and Enderil hacking organizations under North Korea’s Intelligence General Bureau, noting the unprecedented nature of both organizations simultaneously targeting the same sector for specific policy purposes. ” warns. NCSC.
Trojanized updates and installers
In the first case highlighted in the January 2024 advisory, Kimsuky compromised the website of a South Korean construction trade organization to spread malware to visitors.
According to one A February report by ASEC, when employees Tried to log into the organization’s website, they were asked to install required security software called “NX_PRNMAN” or “TrustPKI”.
These trojanized installers were digitally signed with a valid certificate from the Korean defense company “D2Innovation”, effectively bypassing antivirus checks.
When trojanized software is installed, the malware can capture screenshots, steal data stored in browsers (credentials, cookies, bookmarks, history) and steal GPKI certificates, SSH keys, sticky notes, and FileZilla data. was also appointed.
The campaign affected South Korean construction companies, public institutions and local government systems.
The second case occurred in April 2024, when the NCSC says that Android threat actors exploited a vulnerability in the communication protocol of homegrown VPN software to push fake software updates that installed the DoraRite malware. Benefited.
“In April 2024, the Andreal hacking group exploited vulnerabilities in the country’s security software (VPN and server security) to replace update files with malware, distributed remote control malware called “DoraRAT” to construction and machinery companies, ” describes the machine-translated version of NCSC Advisory
NCSC says the vulnerability allowed threat actors to spoof packets to users’ PCs, misidentifying them as valid server updates, allowing malicious versions to be installed. can be done.
DoraRAT is a lightweight Remote Access Trojan (RAT) with minimal functionality that allows it to operate more stealthily.
The variant observed in the particular attack was configured to steal large files, such as machinery and equipment design documents, and deliver them to the attacker’s command and control server.
The NCSC says operators of websites at risk of being targeted by state-sponsored hackers should request a security inspection from the Korea Internet and Security Agency (KISA).
Additionally, it is recommended to implement strict software distribution approval policies and require administrator approval for the final stage of distribution.
Other general advice includes timely software and OS updates, ongoing employee security training, and monitoring government cybersecurity advisories to quickly identify and prevent emerging threats.
In a similar move, a Chinese hacking group Breached ISP to poison DNS entries. Instead, automatic software updates install malware for legitimate software.