The dangers of employees inadvertently downloading dangerous third-party software was again highlighted when an organization ended up running a trojanized cryptocurrency trading application that was installed by a worker.
In this case, the danger may be multiplied when the third-party company in question could be a front for the Lazarus APT cyber gang.
Kaspersky Lab researchers stumbled across this insider threat while investigating a cryptocurrency exchange under attack by Lazarus. Kaspersky said the malware-laced trading software had been introduced to the company in an email that recommended the recipient click on a supplied link and go to the Celas LLC website and install Celas Trade Pro software.
The employee did as requested and visited what appears to be a legitimate site, then downloaded and installed what ended up being Fallchill, an old tool that Lazarus has recently started using again.
Kaspersky also made the assertion that Celas LLC itself may be the work of Lazarus and was set up to give the gang a legitimate looking online base of operations from which to do their dirty work.
“From all angles, the Celas LLC story looks like the threat actor has found an elaborate way to create a legitimate looking business and inject a malicious payload into a legitimate looking software update mechanism. Sounds logical: if one cannot compromise a supply chain, why not make a fake one,” Kaspersky wrote.
The company also built a strong case associating Fallchill with Lazarus. The malware is a remote access tool that the US-CERT, DHS and FBI have identified as being part of North Korea’s malware arsenal, and Kaspersky noted the command and control server and IP address in use here was previously used in conjunction with Fallchill. Additionally, another piece of malware was discovered — a backdoor stored in the TManager directory, the same place Fallchill is found.
“What is probably one of the most interesting findings to come from this additional backdoor was discovered hidden in hardcoded headers used to communicate with C2 server. The Accept-Language HTTP header string revealed a language code associated with North Korea. In our experience, this is something we normally don’t see in malware,” the Kaspersky report said.
Despite this clue, Lazarus did quite a bit of extra leg work to obfuscate this cyberattack.
First, the gang redeveloped the malware to work with different operating systems, adding macOS and possibly Linux, Kaspersky said. It was already designed to work with Windows. The company believes this is the first time Lazarus has used macOS-capable malware.
Next, the trojan was not pushed out with the Celas Trade Pro download, which comes through clean, but was rather injected through an update for the software. Once the installation is completed, the installer runs the Updater.exe that again looks legit, but instead the updater downloads the payload and collects user information and sends it back to a command-and-control server.
Kaspersky noted the payload file size was very large, almost 105MB, and possibly artificially inflated to make it harder to download or transfer.
At this point, the malware sends out a query to the server and receives one of two responses. Either an HTTP code 300 is sent which tells the malware to remain silent and do nothing, or if HTTP code 200 is received it extracts the payload with base64 and decrypts it using RC4 with another hardcoded key (“[email protected]%Df324V$Yd“).
“This should be a lesson to all of us and a wake-up call to businesses relying on third-party software. Do not automatically trust the code running on your systems. Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors,” Kaspersky warned.