North Korea-linked Lazarus APT targets the COVID-19 research

Pierluigi Paganini December 25, 2020

The North Korea-linked Lazarus APT group has recently launched cyberattacks against at least two organizations involved in COVID-19 research.

The North Korea-linked APT group Lazarus has recently launched cyberattacks against two entities involved in COVID-19 research.

The activity of the Lazarus APT group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

According to a report published by Kaspersky Lab in January 2020, in the two years the North Korea-linked APT group has continued to target cryptocurrency exchanges evolving its TTPs.

Now Kaspersky researchers revealed to have spotted new attacks that were carried out by the APT group in September and October 2020. The attacks aimed at a Ministry of Health and a pharmaceutical company involved in the development of the COVID-19 vaccine.

The systems at the pharmaceutical company were targeted with the BookCode malware, while in the attack against a Ministry of Health the APT group used the wAgent malware. Lazarus APT used the wAgent malware in attacks against cryptocurrency exchanges and businesses.

“While tracking the Lazarus group’s continuous campaigns targeting various industries, we discovered that they recently went after COVID-19-related entities. They attacked a pharmaceutical company at the end of September, and during our investigation we discovered that they had also attacked a government ministry related to the COVID-19 response.” reads the analysis published by Kaspersky. “Each attack used different tactics, techniques and procedures (TTPs), but we found connections between the two cases and evidence linking those attacks to the notorious Lazarus group.”

The Lazarus APT used different techniques in each attack, but Kaspersky experts believe they were both conducted by Lazarus.

Lazarus Covet_01

Both backdoors allow the operators to take full control over the infected systems. The experts were not able to determine the initial infection vector in both attacks, they speculate the attackers launched spear-phishing attacks against their victims or used watering hole attacks.

The wAgent backdoor allows the attackers to executed various shell commands to gather information from the infected device. Experts noticed that Lazarus is using the wAgent backdoor to deliver an additional payload that has a persistence mechanism.

The BookCode backdoor was used by Lazarus hackers to gather system and network information from the targeted system, The malware extract infected host information, including password hashes, from the registry SAM dump.

“We assess with high confidence that the activity analyzed in this post is attributable to the Lazarus group.” continues Kaspersky. “In our previous research, we already attributed the malware clusters used in both incidents described here to the Lazarus group. First of all, we observe that the wAgent malware used against the health ministry has the same infection scheme as the malware that the Lazarus group used previously in attacks on cryptocurrency businesses.”

The attacks discovered by Kaspersky confirm the interest of the APT group in gathering intelligence on COVID-19-related activities.

“While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well.” concludes Kaspersky. “We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyberattacks.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment