KASPERSKY experts have identified two advanced persistent threat (APT) incidents that targeted entities related to the research of COVID-19, namely a Ministry of Health body and a pharmaceutical company.
It is believed that such activities can be attributed to the infamous Lazarus group’s ongoing campaign of targeting various industries in efforts to capitalise their work for its own gain.
For the attack against the Ministry of Health body, two Window servers in the organisation were compromised with sophisticated malware on Oct 27, 2020.
The malware named wAgent’ has the same infection scheme as the malware that the Lazarus group had used in previous attacks on cryptocurrency businesses.
According to Kaspersky telemetry, the incident involving the pharmaceutical company happened on Sept 25, 2020.
The company has been working on developing a COVID-19 vaccine with authorisation to produce and distribute.
It was reported that the attacker who deployed the Bookcode malware was previously reported to be connected to the Lazarus group to attack a supply chain through a South Korean software company.
Both the wAgent and Bookcode malware have similar functionalities of a full-features backdoor, allowing the malware operator to control the victim’s machine/device in almost any way they please.
Given the noted overlaps, Kaspersky researchers confirm with high confidence that both incidents are connected to the Lazarus group.
The research is still ongoing.
“These two incidents reveal the Lazarus group’s interest in intelligence related to COVID-19. While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well,” Kaspersky security expert Seongsu Park pointed out.
“We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyberattacks,” he added.
Kaspersky products detect the wAgent malware as HEUR:Trojan.Win32.Manuscrypt.gen and Trojan.Win64.Manuscrypt.bx.
The Bookcode malware is detected as Trojan.Win64.Manuscrypt.ce.
To avoid any similar cases happening again, Kaspersky advises companies to take the following precautions:
- Provide your SOC team with access to the latest threat intelligence (TI);
- Provide your staff with basic cybersecurity hygiene training as many targeted attacks start with phishing or other social engineering techniques;
- For endpoint level detection, investigation and timely remediation of incidents, implement end-point detection and response (EDR) solutions; and
- In addition to adopting essential end-point protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage. – Dec 23, 2020