In the incidents analyzed by Kaspersky, victims are redirected to sites that mimick software vendors, such as the distributor of Cross EX - a tool that enables South Koreans to use security software in various web browsers for online banking and interactions with government websites. In a recent espionage campaign, the infamous North Korean threat group Lazarus targeted multiple organizations in the software, IT, finance, and telecommunications sectors in South Korea. “We identified at least six software, IT, financial, semiconductor manufacturing and telecommunication organizations in South Korea that fell victim to “Operation SyncHole,” Kasperky notes in a report. “Although the exact method by which Cross EX was exploited to deliver malware remains unclear, we believe that the attackers escalated their privileges during the exploitation process as we confirmed the process was executed with high integrity level in most cases,” explained Kaspersky. “However, we are confident that there are many more affected organizations across a broader range of industries, given the popularity of the software exploited by Lazarus in this campaign,” the researchers added. Based on the tooling used in Operation SyncHole attacks, Kaspersky was able to confidently attribute the compromises to the Lazarus hacker group backed by the North Korean government. The cybersecurity firm says it has communicated its findings to the Korea Internet & Security Agency (KrCERT/CC) and confirmed that patches have been released for the software exploited in this campaign. Kaspersky notes that Innorix Abuser exploited a vulnerability in the Innorix Agent file transfer solution version 9.2.18.496 and addressed in the latest version of the software. Based on the recent malware samples used in Operation SyncHole, Kaspersky observed that Lazarus is moving towards lightweight and modular tools that are both stealthier and more configurable. The threat actor combined a watering hole attack strategy with an exploit for a vulnerability in a file transfer client that is required in South Korea to complete certain financial and administrative tasks. Furthermore, "according to a recent security advisory posted on the KrCERT website, there appear to be recently patched vulnerabilities in Cross EX, which were addressed during the timeframe of our research," Kaspersky's report notes. The attack started with targets visiting legitimate South Korean media portals that Lazarus had compromised with server-side scripts for profiling visitors and redirecting valid targets to malicious domains. During the attack analysis, Kaspersky researchers also found a non-exploited zero-day flaw (KVE-2024-0014) in Innorix Agent versions 9.2.18.001 through 9.2.18.538, which allowed arbitrary file downloads. According to Kaspersky, Lazarus hackers used an exploit that was known by the vendor at the time of the investigation, but it had been leveraged before in other attacks. The researchers say that a malicious JavaScript on the fake website exploits the Cross EX software to deliver malware. The researchers reported the security issue responsibly through the Korea Internet & Security Agency (KrCERT) and the vendor addressed it in an update last month. Researchers at Kasperky named the campaign 'Operation SyncHole' and say that the activity compromised at least half a dozen organizations between November 2024 and February 2025. In the first phase, ThreatNeedle was used to deploy ‘LPEClient’ for system profiling, the ‘wAgent’ or ‘Agamemnon’ malware downloaders, and the ‘Innorix Abuser’ tool for lateral movement. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Kaspersky observed multiple infection chains across the six confirmed victims, which differ in earlier and later phases of the attack, only the initial infection being the common ground.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 24 Apr 2025 19:15:09 +0000