Lazarus, a notorious advanced persistent threat (APT) group, which is believed to be operating on behalf of the North Korean government, is using a novel supply-chain attack involving legitimate South Korean security software and digital certificates stolen from two different companies, ESET reports.

The attack was aimed at visitors to websites operated by the South Korean government and financial firms, with the goal of delivering dropper malware that infects victims’ computers with a remote access trojan. The threat actor used stolen digital certificates from two security firms, which allow them to corrupt a browser plug-in designed to protect users from being compromised.

ESET says the hackers took advantage of security software made by Wizver. The software in question is WIZVERA VeraPort, an integration installation program used by the South Korean government websites. The tool helps to manage additional security software, which users in South Korea are often asked to install when visiting government or internet banking websites.

“With WIZVERA VeraPort installed on their devices, users receive and install all necessarily software required by a specific website with VeraPort (e.g., browser plug-ins, security software, identity verification software, etc.). Minimal user interaction is required to start such a software installation from a website that supports WIZVERA VeraPort. Usually, this software is used by government and banking websites in South Korea. For some of these websites it is mandatory to have WIZVERA VeraPort installed for users to be able to access the sites’ services,” ESET explains.

WIZVERA VeraPort is used to digitally sign and verify downloads, however, the app only verifies that the digital signature is valid, without checking to whom it belongs. “Thus, to abuse WIZVERA VeraPort, attackers must have any valid code-signing certificate in order to push their payload via this method or get lucky and find a VeraPort configuration that does not require code-signing verification,” the report notes.

The researchers discovered two malware samples that were signed using illegally obtained code-signing certificates. The malware was disguised as legitimate software.

“These samples have similar filenames, icons and VERSIONINFO resources as legitimate South Korean software often delivered via WIZVERA VeraPort. Binaries that are downloaded and executed via the WIZVERA VeraPort mechanism are stored in %Temp%\[12_RANDOM_DIGITS]\. It should be noted that WIZVERA VeraPort’s configuration has an option not only to verify digital signatures, but also to verify the hash of downloaded binaries. If this option is enabled, then such an attack cannot be performed so easily, even if the website with WIZVERA VeraPort is compromised,” according to ESET.

As for the final RAT payload, the researchers say it comes with a set of typical features used by the Lazarus group. The commands include operations on the victim’s filesystem and the download and execution of additional tools from the group’s arsenal.

“Attackers are constantly trying to find new ways to deliver malware to target computers. Attackers are particularly interested in supply-chain attacks, because they allow them to covertly deploy malware on many computers at the same time […] We can safely predict that the number of supply-chain attacks will increase in the future, especially against companies whose services are popular in specific regions or in specific industry verticals,” the report warns.