IT Brief Asia - Technology news for CIOs & IT decision-makers
Story image

Lazarus Group targets South Korean supply chains via software flaws

Today

Kaspersky's Global Research and Analysis Team (GReAT) has identified a new cyber campaign led by the Lazarus Group targeting supply chains in South Korea through combined watering hole attacks and exploitation of vulnerabilities in third-party software.

The campaign, dubbed "Operation SyncHole," was observed targeting at least six organisations across the software, IT, financial, semiconductor, and telecommunications sectors. According to the Kaspersky GReAT report, the actual number of victims could be higher than those identified.

Kaspersky researchers discovered that the attackers leveraged a one-day vulnerability in Innorix Agent, a browser-integrated tool widely used for secure file transfers, particularly in administrative and financial systems within South Korea. This vulnerability allowed for lateral movement within targeted networks, ensuing in the installation of additional malware, including Lazarus's signature tools ThreatNeedle and LPEClient. These attacks were facilitated through the Agamemnon downloader and specifically targeted a vulnerable version of Innorix (9.2.18.496).

During the malware analysis, the GReAT team also uncovered a previously unknown zero-day vulnerability in the Innorix Agent software, which had not yet been exploited by attackers. The issue was reported to the Korea Internet & Security Agency (KrCERT) and the software vendor. The vendor has since issued a patched version addressing the vulnerability, now catalogued as KVE-2025-0014.

Sojun Ryu, Security Researcher at Kaspersky's GReAT, commented: "A proactive approach to cybersecurity is essential, and it was thanks to this mindset that our in-depth malware analysis uncovered a previously unknown vulnerability before any signs of active exploitation appeared. Early detection of such threats is key to preventing broader compromise across systems."

Before this recent discovery related to Innorix Agent, Kaspersky had identified that variants of the ThreatNeedle and SIGNBT backdoors were used in subsequent attacks against South Korea. The malware operated within the memory of a legitimate process, SyncHost.exe, and was initiated as a subprocess of Cross EX, a South Korean software application designed to facilitate the use of security tools across various browsers.

The investigation revealed that five additional organisations were affected through the same attack vector. In all instances, the infection appeared to stem from a vulnerability in Cross EX, which served as the entry point for the larger campaign. A recent security advisory from KrCERT confirmed the existence of a vulnerability in CrossEX, which has since been patched.

Igor Kuznetsov, Director of Kaspersky's GReAT, said: "Together, these findings reinforce a broader security concern: third-party browser plugins and helper tools significantly increase the attack surface, particularly in environments that rely on region-specific or outdated software. These components often run with elevated privileges, remain in memory, and interact deeply with browser processes, making them highly attractive and often easier targets for attackers than modern browsers themselves."

The Lazarus Group initiated their operation by compromising online media websites popular with many users. Utilising the watering hole technique, the actors filtered web traffic to single out individuals of interest, then selectively redirected those targets to attacker-controlled websites where the malicious attack chain commenced. This approach underscores the targeted and strategic methods employed by the group.

Kaspersky has updated its products to detect the exploits and malware used in these attacks, with detections labelled under various names including Trojan.Win64.Lazarus.*, MEM:Trojan.Win32.Cometer.gen, and others.

In response to these findings, Kaspersky has issued several recommendations for organisations seeking to defend against Lazarus and other advanced persistent threat (APT) attacks. The company advises keeping all software updated to mitigate vulnerabilities, conducting cybersecurity audits to identify and address system weaknesses, and using technologies offering real-time protection, threat visibility, and advanced response capabilities. Organisations are also encouraged to equip their information security staff with up-to-date threat intelligence to enable timely identification and management of cyber risks.

The Lazarus Group has been recognised as a highly resourced and persistent threat actor since at least 2009, consistently targeting critical sectors with complex multi-stage cyberattacks tailored to exploit region-specific technologies and software ecosystems.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X