Lazarus APT Targets Organizations by Exploiting One-Day Vulnerabilities

A recent cyber espionage campaign by the notorious Lazarus Advanced Persistent Threat (APT) group, tracked as “Operation SyncHole,” has compromised at least six South Korean organizations across software, IT, financial, semiconductor, and telecommunications sectors since November 2024.

According to detailed research, the attackers employed a combination of watering hole attacks and exploited vulnerabilities in widely used South Korean software, including Cross EX and Innorix Agent.

This operation showcases the group’s deep understanding of the local software ecosystem, targeting applications integral to online banking and government services.

The campaign’s sophistication lies in its use of one-day vulnerabilities flaws patched shortly after discovery but exploited during the narrow window of exposure demonstrating Lazarus’ agility in weaponizing newly identified weaknesses.

Technical Precision in Malware Deployment and Lateral Movement

The attack began with users visiting compromised South Korean media sites, triggering the delivery of the ThreatNeedle backdoor via a watering hole strategy.

Lazarus exploited flaws in Cross EX, a legitimate browser-support software, to inject malware into the SyncHost.exe process, enabling privilege escalation and persistence.

Simultaneously, a one-day vulnerability in Innorix Agent (versions up to 9.2.18.496) facilitated lateral movement within networks, allowing the deployment of additional payloads like ThreatNeedle and LPEClient.

The operation unfolded in two phases: the first relied on updated variants of ThreatNeedle and wAgent, while the second introduced SIGNBT (version 0.0.1 and 1.2) and COPPERHEDGE for reconnaissance and payload delivery.

Notably, the malware incorporated advanced encryption (Curve25519 for ThreatNeedle, RSA for SIGNBT) and modular structures, reflecting Lazarus’ evolving tactics.

New libraries, such as the GNU Multiple-Precision (GMP) in wAgent, and techniques like Tartarus-TpAllocInject in the Agamemnon downloader, were observed, underscoring their focus on bypassing modern security solutions.

Infrastructure analysis revealed compromised legitimate South Korean websites repurposed as command-and-control (C2) servers, with domains like www.smartmanagerex[.]com mimicking trusted vendors to evade detection.

Rapid response by security researchers, in collaboration with the Korea Internet & Security Agency (KrCERT/CC), led to the patching of exploited software vulnerabilities, including a previously unknown zero-day in Innorix Agent (KVE-2025-0014).

Despite these efforts, the researchers warn that many more organizations may have been compromised, given the widespread use of the targeted software.

Lazarus’ persistent focus on South Korean supply chains, as seen in prior campaigns like Bookcode (2020) and DeathNote (2022), suggests that such attacks will continue, potentially leveraging undiscovered zero-days.

Organizations are urged to deploy robust security solutions and remain vigilant against cascading supply chain threats.

Type	Value	Location
ThreatNeedle Loader	f1bcb4c5aa35220757d09fc5feea193b	C:\System32\PCAuditex.dll
wAgent Loader	dc0e17879d66ea9409cdf679bfea388c	C:\ProgramData\intel\util.dat
COPPERHEDGE Dropper	2d47ef0089010d9b699cd1bbbc66f10a	%AppData%\hnc_net.tmp
C2 Server	www.smartmanagerex[.]com	–
C2 Server	hxxps://thek-portal[.]com/eng/career/index.asp	–

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!