Lazarus, the North Korea-affiliated state-sponsored group, is attempting to once again target security researchers with backdoors and remote access trojans using a trojanized pirated version of the popular IDA Pro reverse engineering software.
The findings were reported by ESET security researcher Anton Cherepanov last week in a series of tweets.
IDA Pro is an Interactive Disassembler that's designed to translate machine language (aka executables) into assembly language, enabling security researchers to analyze the inner workings of a program (malicious or otherwise) as well as function as a debugger to detect errors.
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.Join Now
"Attackers bundled the original IDA Pro 7.5 software developed by [Hex-Rays] with two malicious components," the Slovak cybersecurity firm said, one of which is an internal module called "win_fw.dll" that's executed during installation of the application. This tampered version is then orchestrated to load a second component named "idahelper.dll" from the IDA plugins folder on the system.
Upon successful execution, the "idahelper.dll" binary connects to a remote server at "www[.]devguardmap[.]org" to retrieve subsequent payloads. The domain is also notable for the fact that it's been previously linked to a similar North Korea-backed campaign aimed at security professionals and disclosed by Google's Threat Analysis Group earlier this March.
The covert operation involved the adversaries setting up a fake security company known as SecuriElite alongside a number of social media accounts across Twitter and LinkedIn in an attempt to trick unsuspecting researchers into visiting the company's malware-laced website so as to trigger an exploit that leveraged a then zero-day in Internet Explorer browser. Microsoft eventually addressed the issue in its Patch Tuesday update for March 2021.
Also known by the monikers APT38, Hidden Cobra, and Zinc, the Lazarus Group is known to be active as early as 2009 and linked to a string of attacks for financial gain and harvesting sensitive information from compromised environments.
"North Korea's cyber program poses a growing espionage, theft, and attack threat," according to the U.S. Office of the Director of National Intelligence 2021 Annual Threat Assessment published earlier this April.
"North Korea has conducted cyber theft against financial institutions and cryptocurrency exchanges worldwide, potentially stealing hundreds of millions of dollars, probably to fund government priorities, such as its nuclear and missile programs."