Lazarus Group used ActiveX zero-day vulnerability to attack South Korean security think tank

The South Korean agency focuses on national security issues and is believed to have been attacked by North Korean hackers.
Written by Charlie Osborne, Contributing Writer

An ActiveX zero-day vulnerability used in attacks against a South Korean think tank has been connected to Lazarus Group.

The target of these attacks was the Sejong Institute, a non-profit South Korean think tank which conducts research on national security. The private organization works with academic institutions worldwide.

The ActiveX zero-day flaw was discovered on the think tank's website in May by South Korean cybersecurity firm AhnLab. The attack was one amongst many conducted by Andariel Group, an offshoot of Lazarus, which is believed to be linked to North Korea.

According to Bleeping Computer, at least nine separate ActiveX vulnerabilities were recorded in the May wave of attacks.

AlienVault researchers Chris Doman and Jaime Blasco said in a blog post this week that South Korea is a vulnerable target of these attacks due to government mandates which require ActiveX to often be enabled on machines connected to the institute.

CNET: North Korea is using Microsoft, Apple, Samsung tech in cyberattacks

The research team has dug deeper into the campaign. According to AlienVault, the first step to compromise is a profiling script used to scrape information on potential targets -- a technique which has been used by Lazarus before.

Additional scripts are then deployed for additional intelligence gathering and the delivery of the ActiveX exploit.

The script used is similar to many exploit kits, by which browsers are identified alongside the operating system used by a potential victim.

Lazarus appears to have ripped a substantial amount of code from PinLady's Plugin-Detect, a legitimate Javascript library that detects browser plugins.

"If a target is running Internet Explorer, it checks if it is enabled to run ActiveX, and what plugins are enabled from a specific list of ActiveX components," the researchers say.

If the correct combination is detected, the ActiveX exploit is deployed. An additional payload containing malware is then downloaded and executed.

The malware, named splwow32.exe, is a simple backdoor which executes commands over the command prompt. However, the command and control protocol, which includes the sending of messages such as "Success!" and "Welcome!" in particular stages of infection is distinctive.

TechRepublic: North Korea is likely underwriting cyberattacks by mining Monero

The malicious code has previously been seen in an attack against a Taiwanese bank. According to BAE Systems, Lazarus targeted Far Eastern International Bank (FEIB), moving funds from overseas accounts by compromising the bank's SWIFT financial communications system.

The group also used a ransomware called 'Hermes' which the team believes "may have been used as a distraction or cover-up for the security team whilst the heist was occurring."

IssueMakersLab suggests that the attack began in a reconnaissance stage in 2017. Three watering hole exploits have been deployed on the domain this year. The malicious files have now been removed.


North Korea's history of bold cyber attacks

Previous and related coverage

  • Inside the early days of North Korea's cyberwar factory
  • North Korean hacking group Covellite abandons US targets
  • North Korean defectors, journalists targeted through Google Play
  • Editorial standards