Operation SyncHole: Lazarus APT goes back to the well

Operation SyncHole: Lazarus APT goes back to the well

The Lazarus group has launched β€œOperation SyncHole,” targeting multiple sectors in South Korea through a combination of watering hole attacks and vulnerability exploitation. The initiative has compromised at least six organizations in software, IT, finance, semiconductor manufacturing, and telecommunications, with potential broader impacts anticipated. Collaborations with the Korea Internet & Security Agency (KrCERT) have led to prompt remediation efforts, and further investigations revealed multiple sophisticated malware variants utilized in these attacks. Affected: South Korean software, IT, finance, semiconductor manufacturing, telecommunications

Keypoints :

  • Operation SyncHole targets organizations in South Korea using complex attack vectors.
  • Utilized watering hole strategies combined with software vulnerability exploitation.
  • Impacted at least six organizations across key industries.
  • Confirmed use of multiple malware variants, including ThreatNeedle, wAgent, SIGNBT, and COPPERHEDGE.
  • Communicated with KrCERT for rapid response and updates to affected software.
  • Exploit of vulnerabilities in software such as Cross EX and Innorix Agent.
  • The attack infrastructure primarily involved compromised legitimate websites in South Korea.
  • Emerging trends include a move towards modular and lightweight malware design.
  • Recommendations for organizations include enhancing security strategies to detect and mitigate similar attacks.

MITRE Techniques :

  • T1583.001: Use of dual domains masquerading as legitimate car rental websites to lure users.
  • T1608.004: Server-side filtering to redirect targets to compromised sites.
  • T1189: Execution of malicious scripts targeting flaws in Cross EX software.
  • T1190: Vulnerabilities exploited in installed software to deliver malware.
  • T1105: Agamemnon downloader used for fetching additional malware from C2 servers.
  • T1570: Innorix abuser used for lateral movement within internal networks.
  • T1016: Internal reconnaissance using COPPERHEDGE to gather system information.
  • T1574.002: Sideloading of malicious DLL files to facilitate malware execution.
  • T1543.003: Creation of services to maintain persistence in the infected environment.

Indicator of Compromise :

  • [MD5] f1bcb4c5aa35220757d09fc5feea193b (Variant of the ThreatNeedle loader)
  • [MD5] dc0e17879d66ea9409cdf679bfea388c (Variant of the wAgent loader)
  • [MD5] 2d47ef0089010d9b699cd1bbbc66f10a (COPPERHEDGE dropper)
  • [URL] www.smartmanagerex[.]com (C2 server)
  • [URL] hxxps://thek-portal[.]com/eng/career/index.asp (C2 server)

Full Story: https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/