Kaspersky reveals two Lazarus attacks targeting vaccine research
Woburn, MA – December 23, 2020 – In the autumn of 2020, Kaspersky researchers identified two APT incidents that targeted entities related to COVID-19 research. The researchers have now assessed with high confidence that the activities, which targeted a Ministry of Health body and a pharmaceutical company, can be attributed to the infamous Lazarus group.
As the pandemic continues and vaccine development has progressed, some threat actors have tried to capitalize. Kaspersky experts tracking the Lazarus group discovered that it was one such actor, going after COVID-19-related entities in September and October.
The first attack targeted a Ministry of Health body. Two Windows servers in the organization were compromised with sophisticated malware on October 27, 2020. The malware used is known by Kaspersky as “wAgent.” Closer analysis found that the wAgent malware used against the Ministry of Health has the same infection scheme as Lazarus’ previous attacks on cryptocurrency businesses.
The second incident involved a pharmaceutical company. According to Kaspersky telemetry, the company was breached on September 25, 2020. The company is developing a COVID-19 vaccine and is also authorized to produce and distribute it. This time, the attacker deployed the Bookcode malware, previously reported by a security vendor to be connected to Lazarus, in a supply chain attack through a South Korean software company. Kaspersky researchers have also witnessed Lazarus group using Bookcode malware in the past.
Bookcode and wAgent malware have similar functionalities, such as a full-featured backdoor. After deploying the final payload, the malware operator can control the victim’s machine in nearly any manner they wish.
Relationship of recent Lazarus group attack
Given the noted overlaps, Kaspersky researchers confirm with high confidence that both incidents are connected to the Lazarus group. The research is still ongoing.
“These two incidents reveal Lazarus group’s interest in intelligence related to COVID-19,” said Seongsu Park, security expert at Kaspersky. “While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well. We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyberattacks.”
Kaspersky products detect the wAgent malware as HEUR:Trojan.Win32.Manuscrypt.gen and Trojan.Win64.Manuscrypt.bx.
The Bookcode malware is detected as Trojan.Win64.Manuscrypt.ce.
To stay safe from sophisticated threats, Kaspersky recommends taking the following security measures:
For further details on the new exploits documented above, read the full report on Securelist.
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Sawyer Van Horn