BleepingComputer reports that at least half a dozen South Korean organizations in the finance, telecommunications, IT, and software industries have been compromised by North Korean hacking collective Lazarus Group in a new cyberespionage campaign involving a watering hole attack technique and the exploitation of a South Korean software vulnerability that ran from November to February.
Intrusions part of the Operation SyncHole campaign commenced with malicious server-side script injections in legitimate South Korean media portals that redirected visitors to domains spoofing those of the distributor of widely used Cross EX tool and other software vendors, according to an analysis from Kaspersky. Exploitation of Cross EX then facilitated the deployment of the malicious shellcode-laced 'SyncHost.exe' that then launched the ThreatNeedle backdoor. While ThreatNeedle was leveraged in an attack that led to the delivery of the wAgent or Agamemnon malware loaders and Innorix Abuser tool, Lazarus Group also used the SIGNBT payload to facilitate Copperhedge malware distribution for reconnaissance efforts in other intrusions.
Intrusions part of the Operation SyncHole campaign commenced with malicious server-side script injections in legitimate South Korean media portals that redirected visitors to domains spoofing those of the distributor of widely used Cross EX tool and other software vendors, according to an analysis from Kaspersky. Exploitation of Cross EX then facilitated the deployment of the malicious shellcode-laced 'SyncHost.exe' that then launched the ThreatNeedle backdoor. While ThreatNeedle was leveraged in an attack that led to the delivery of the wAgent or Agamemnon malware loaders and Innorix Abuser tool, Lazarus Group also used the SIGNBT payload to facilitate Copperhedge malware distribution for reconnaissance efforts in other intrusions.
