The Lazarus Group, an advanced persistent threat (APT) linked to the North Korean government, has initiated two distinct supply chain attack campaigns aimed at infiltrating corporate networks and exploiting various downstream entities. Recent intelligence indicates that this group utilized the MATA malware framework along with backdoors known as BLINDINGCAN and COPPERHEDGE in their operations, targeting the defense sector, a Latvian IT asset monitoring firm, and a South Korean think tank, as highlighted in the Q3 2021 APT Trends report from Kaspersky.
In one notable incident, the supply chain attack was traced back to a South Korean security software that had been compromised, delivering a malicious payload that facilitated the deployment of the BLINDINGCAN and COPPERHEDGE malware in June 2021. Researchers noted that the second attack, which occurred in May against the Latvian firm, represents an unusual target in Lazarus’s attack history.
There remains ambiguity about whether Lazarus altered the IT vendor’s software to disseminate these malicious implants, or alternatively, if they exploited their access to breach other customers within the network. Kaspersky is monitoring this campaign and has designated it under the DeathNote cluster.
Moreover, the group appears to be engaged in a separate cyber-espionage initiative that leverages the versatile MATA malware framework to conduct a variety of malicious activities on infected systems. This framework supported the deployment of a Trojanized version of applications relevant to their intended victims, consistent with known tactics of the Lazarus Group.
Kaspersky’s prior assessments reveal that the MATA campaign can launch attacks across Windows, Linux, and macOS operating systems. The attack architecture supports a multi-staged infection process, culminating in the deployment of additional plugins that provide access to sensitive data, such as stored files and confidential database information, while also enabling arbitrary DLL injections.
In addition to Lazarus, another APT actor, likely of Chinese origin and suspected to be HoneyMyte, has adopted a similar strategy. This group modified the installer for a fingerprint scanner software, embedding the PlugX backdoor on a distribution server associated with an unnamed government agency in South Asia, which Kaspersky has referred to as the “SmudgeX” incident.
The rise of cyber attacks targeting the IT supply chain comes into sharp focus following the 2020 SolarWinds breach, underscoring a critical need for organizations to adopt stringent security practices. These incidents highlight the importance of proactive measures to safeguard enterprise environments against evolving threats.
