The Lazarus Group is one of the major threat actors targeting South Korea. In this talk, we will cover the activities of Lazarus Group’s threat campaigns in South Korea from at least 2022 to the present in 2023.

KrCert/CC has detected the Lazarus group’s undercover information gathering activities targeting major companies in Korea. This campaign was carried out through a large-scale infection method using vulnerabilities in financial security solutions and watering hole techniques. We investigated the campaign by examining over 60 companies and more than 200 hosts to identify the threat actors’ TTPs. In this talk, we will cover:

Infiltration

The Lazarus Group hacked into websites visited by a large number of people and set up watering hole pages. After the target accessed the watering hole pages, the group infected their target with malware by exploiting vulnerabilities in financial security software (the misused financial security software was the security software used by most Koreans and companies).

Lateral movement

The group carried out internal propagation using various methods depending on the target’s situation. They performed internal spread by scanning networks, exploiting SMB services, and taking advantage of vulnerabilities in financial security software.

Exfiltration

Threat actors compromised the company’s key servers for information leakage. The compromised servers have been abuse as a major hub for information leakage.

We will also provide detailed information and TTPs to trace and respond to the threat actors involved in the “large-scale infection campaign using vulnerabilities in financial security solutions and watering hole techniques” campaign conducted by Lazarus Group, which has been confirmed through our investigation process.