SIGNBT Malware Linked to North Korean Lazarus Group
The Lazarus Group, associated with North Korea, has been linked to a recent campaign where an undisclosed software vendor fell victim to a cyberattack through the exploitation of known security vulnerabilities in another widely recognized software.
Security experts have determined that the attack progressed through various stages, ultimately resulting in the deployment of malicious software families like SIGNBT and LPEClient, which is a well-known hacking tool used by the threat actor for profiling targets and delivering malicious payloads.
Security researcher Seongsu Park noted that the adversary displayed a high level of sophistication, utilizing advanced evasion techniques and introducing the SIGNBT malware for controlling the victims. The SIGNBT malware used in this attack followed a complex infection chain and employed sophisticated methods.
SIGNBT Deployed Against Cybersecurity Vendor
A Russian cybersecurity vendor revealed that the company responsible for the exploited software had been targeted by Lazarus attacks multiple times, suggesting an effort to steal source code or contaminate the software supply chain, similar to the 3CX supply chain attack. The Lazarus Group continued to exploit vulnerabilities in the company's software while also going after other software developers, according to Park. This recent activity has identified several victims as of mid-July 2023.
These victims were targeted through a legitimate security software designed to encrypt web communications using digital certificates. The name of this software was not disclosed, and the precise method used to weaponize it for distributing SIGNBT remains unknown.
Apart from employing diverse tactics to establish and maintain control over compromised systems, the attack chains use an in-memory loader to facilitate the launch of the SIGNBT malware. SIGNBT's primary function is to establish communication with a remote server and retrieve further instructions for execution on the compromised host. The malware derives its name from unique strings prefixed with "SIGNBT" in its HTTP-based command-and-control (C2) communications.
The Windows backdoor, on the other hand, is equipped with a wide array of capabilities for taking control of the victim's system. This includes tasks like identifying running processes, managing files and directories, and deploying payloads such as LPEClient and other utilities for extracting credentials.