In a current espionage marketing campaign, the notorious North Korean menace group Lazarus focused a number of organizations within the software program, IT, finance, and telecommunications sectors in South Korea.
The menace actor mixed a watering gap assault technique with an exploit for a vulnerability in a file switch shopper that’s required in South Korea to finish sure monetary and administrative duties.
Researchers at Kasperky named the marketing campaign ‘Operation SyncHole’ and say that the exercise compromised at the very least half a dozen organizations between November 2024 and February 2025.
“We recognized at the very least six software program, IT, monetary, semiconductor manufacturing and telecommunication organizations in South Korea that fell sufferer to “Operation SyncHole,” Kasperky notes in a report.
Operation SyncHole exercise timeline
Supply: Kaspersky
“Nevertheless, we’re assured that there are lots of extra affected organizations throughout a broader vary of industries, given the recognition of the software program exploited by Lazarus on this marketing campaign,” the researchers added.
In accordance with Kaspersky, Lazarus hackers used an exploit that was recognized by the seller on the time of the investigation, however it had been leveraged earlier than in different assaults.
Goal choice
The assault began with targets visiting reliable South Korean media portals that Lazarus had compromised with server-side scripts for profiling guests and redirecting legitimate targets to malicious domains.
Within the incidents analyzed by Kaspersky, victims are redirected to websites that mimick software program distributors, such because the distributor of Cross EX – a instrument that permits South Koreans to make use of safety software program in varied internet browsers for on-line banking and interactions with authorities web sites.
“Though the precise methodology by which Cross EX was exploited to ship malware stays unclear, we consider that the attackers escalated their privileges in the course of the exploitation course of as we confirmed the method was executed with excessive integrity degree normally,” defined Kaspersky.
Website that triggers the preliminary an infection
Supply: Kaspersky
The researchers say {that a} malicious JavaScript on the pretend web site exploits the Cross EX software program to ship malware.
Though Kaspersky didn’t discover the precise exploitation methodology used, the researchers “consider that the attackers escalated their privileges in the course of the exploitation course of.”
Moreover, “in keeping with a current safety advisory posted on the KrCERT web site, there seem like not too long ago patched vulnerabilities in Cross EX, which have been addressed in the course of the timeframe of our analysis,” Kaspersky’s report notes.
The exploit launches the reliable ‘SyncHost.exe’ course of and injects shellcode in it to load the ‘ThreatNeedle’ backdoor, which might execute 37 instructions on the contaminated host.
The assault stream
Supply: Kaspersky
Kaspersky noticed a number of an infection chains throughout the six confirmed victims, which differ in earlier and later phases of the assault, solely the preliminary an infection being the frequent floor.
Within the first section, ThreatNeedle was used to deploy ‘LPEClient’ for system profiling, the ‘wAgent’ or ‘Agamemnon’ malware downloaders, and the ‘Innorix Abuser’ instrument for lateral motion.
Kaspersky notes that Innorix Abuser exploited a vulnerability within the Innorix Agent file switch resolution model 9.2.18.496 and addressed in the most recent model of the software program.
In some instances, ThreatNeedle wasn’t used in any respect, with Lazarus as a substitute utilizing the ‘SIGNBT’ implant to deploy the ‘Copperhedge’ backdoor used for inside reconnaissance.
Numerous assault chains noticed
Supply: Kaspersky
Primarily based on the tooling utilized in Operation SyncHole assaults, Kaspersky was in a position to confidently attribute the compromises to the Lazarus hacker group backed by the North Korean authorities.
Further clues pointing to the menace actor have been the working hours/obvious timezone together with strategies, techniques, and procedures (TTPs) particular to Lazarus.
Primarily based on the current malware samples utilized in Operation SyncHole, Kaspersky noticed that Lazarus is transferring in the direction of light-weight and modular instruments which can be each stealthier and extra configurable.
The cybersecurity agency says it has communicated its findings to the Korea Web & Safety Company (KrCERT/CC) and confirmed that patches have been launched for the software program exploited on this marketing campaign.
Throughout the assault evaluation, Kaspersky researchers additionally discovered a non-exploited zero-day flaw (KVE-2024-0014) in Innorix Agent variations 9.2.18.001 by means of 9.2.18.538, which allowed arbitrary file downloads.
The researchers reported the safety concern responsibly by means of the Korea Web & Safety Company (KrCERT) and the seller addressed it in an replace final month.
