SIGNBT Malware
The Lazarus Group, which is associated with North Korea, has been identified as the perpetrator of a recent cyber campaign. In this operation, an unidentified software vendor fell victim to an attack facilitated by exploiting well-known security vulnerabilities in a prominent software. The series of attacks ultimately led to the introduction of threatening software families, including SIGNBT.
Furthermore, the attackers made use of a widely recognized hacking tool commonly employed by this threat actor for activities such as profiling potential victims and delivering payloads. This tool is referred to as LPEClient in tracking efforts.
Table of Contents
The APT (Advanced Persistent Threat) Hacker Group Targeted the Same Victim Repeatedly
The utilization of the SIGNBT malware in this attack demonstrated a multifaceted infection process and employed advanced techniques. The Lazarus Group persisted in exploiting vulnerabilities within the targeted company's software with the aim of compromising other software developers. In their most recent activities, several victims have been identified as of mid-July 2023.
These victims were subjected to an attack via legitimate security software designed for encrypting web communications through digital certificates. The software's name was not disclosed, and the precise method through which it was weaponized to distribute SIGNBT remains undisclosed.
In addition to employing a range of strategies to establish and maintain a foothold on compromised systems, the attack sequences employed an in-memory loader that served as a conduit for launching the SIGNBT malware.
SIGNBT Malware Contacts a C2 Server for Additional Instructions
The primary purpose of SIGNBT is to establish communication with a remote server and retrieve further instructions for execution on the infected host. This malware earns its name from its use of distinct strings that are prefixed with "SIGNBT" in its HTTP-based command-and-control (C2) communications:
- SIGNBTLG, for the initial connection
- SIGNBTKE, for collecting system metadata upon receiving a SUCCESS message from the C2 server
- SIGNBTGC, for fetching commands
- SIGNBTFI, for handling communication failures
- SIGNBTSR, for indicating successful communication
Meanwhile, the Windows backdoor is equipped with a wide array of capabilities aimed at gaining control over the victim's system. These capabilities include enumerating processes, performing file and directory operations, and deploying payloads like LPEClient and other tools for extracting credentials.
The Lazarus Group Continues to Evolve Its Techniques and Malware Arsenal
Just in 2023, researchers have identified a minimum of three distinct Lazarus campaigns. These campaigns employed various intrusion methods and infection procedures. However, they consistently utilized the LPEClient malware to deliver the final-stage unsafe software.
One of these campaigns played a pivotal role in introducing an implant known as Gopuram. This implant was employed in cyberattacks directed at cryptocurrency companies, using a tampered version of the 3CX voice and video conferencing software.
These recent findings exemplify ongoing North Korean-linked cyber operations and underscore the Lazarus Group's continuous development and expansion of its arsenal of tools, strategies, and techniques. The Lazarus Group remains an active and adaptable threat actor in the contemporary cybersecurity landscape.
