Full Report
At least six organizations in South Korea have been targeted by the prolific North Korea-linked Lazarus Group as part of a campaign dubbed Operation SyncHole. The activity targeted South Korea's software, IT, financial, semiconductor manufacturing, and telecommunications industries, according to a report from Kaspersky published today. The earliest evidence of compromise was first detected in
Analysis Summary
# Incident Report: Operation SyncHole - Lazarus Group Campaign Targeting South Korean Sectors
## Executive Summary
The Lazarus Group executed "Operation SyncHole," a sophisticated campaign targeting six key South Korean industries including finance, IT, and semiconductors, beginning in November 2024. The attackers utilized a combination of watering hole attacks and the likely exploitation of vulnerabilities in prevalent local software like Cross EX and Innorix Agent to gain initial access and move laterally, ultimately deploying a suite of custom malware tools. Response efforts centered on analyzing the multi-stage infection chain and addressing the vulnerability exploited in the Innorix Agent.
## Incident Details
- Discovery Date: Kaspersky report published on April 24, 2025 (Earliest evidence of compromise detected in November 2024)
- Incident Date: Commenced November 2024
- Affected Organization: At least six organizations across various sectors in South Korea.
- Sector: Software, IT, Financial, Semiconductor Manufacturing, and Telecommunications.
- Geography: South Korea
## Timeline of Events
### Initial Access
- Date/Time: Prior to or around November 2024
- Vector: Watering hole strategy targeting visitors of South Korean online media sites.
- Details: Visitors landing on infected sites were filtered by a server-side script and redirected to an adversary-controlled domain. This redirection likely executed malicious script leveraging a flaw in **Cross EX** software, ultimately leading to the injection of shellcode into `SyncHost.exe` to load the **ThreatNeedle** variant.
### Lateral Movement
- Details: Attackers leveraged a **one-day vulnerability in the Innorix Agent** file transfer tool to move laterally between compromised hosts. This may have involved exploiting an additional zero-day vulnerability discovered in the Innorix Agent.
### Data Exfiltration/Impact
- Details: The early infection stages used **ThreatNeedle** and **wAgent**. Later stages involving **SIGNBT** and **COPPERHEDGE** were used for establishing persistence, conducting reconnaissance, and delivering credential dumping tools. **Agamemnon** was used as a downloader for further payloads, and **LPEClient** for victim profiling. *Specifics on exfiltrated data volume or type were not detailed.*
### Detection & Response
- Date/Time: Discovery reported via Kaspersky analysis published April 24, 2025.
- Details: Researchers analyzed the sophisticated attack chain involving custom malware and vulnerability exploitation. The patched zero-day vulnerability in Innorix Agent was identified post-exploitation.
## Attack Methodology
- Initial Access: Watering Hole attack combined with exploitation of a security flaw in **Cross EX**.
- Persistence: Established using malware variants such as **SIGNBT** and **COPPERHEDGE**.
- Privilege Escalation: Not explicitly detailed, but exploitation of software vulnerabilities often leads to elevated privileges.
- Defense Evasion: Malware execution incorporated the **Hell's Gate technique** to bypass security solutions during execution.
- Credential Access: Delivery of specific **credential dumping tools** post-persistence.
- Discovery: Conducted using reconnaissance capabilities inherent in later-stage malware payloads.
- Lateral Movement: Exploitation of a security flaw in the **Innorix Agent** file transfer tool.
- Collection: Conducted via reconnaissance tools and execution of **LPEClient** for victim profiling.
- Exfiltration: *Not explicitly detailed, though credential dumping tools suggest data theft.*
- Impact: Compromise of critical infrastructure and sensitive systems across multiple sectors.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Potential theft of credentials and sensitive operational data due to credential dumping tools deployment.
- Operational: Business disruption within the targeted software, IT, financial, semiconductor, and telecommunications sectors.
- Reputational: Potential damage to the targeted organizations and the software vendors whose products were exploited.
## Indicators of Compromise
*(Note: IOCs derived from the description are listed here defanged as requested, though the article did not explicitly list clean hashes/domains)*
- Network Indicators: C2 communication channels utilizing enhanced C2 structures (details undisclosed).
- File Indicators: **ThreatNeedle**, **AGAMEMNON**, **wAgent**, **SIGNBT**, **COPPERHEDGE**, **LPEClient** variants.
- Behavioral Indicators: Injection of shellcode into `SyncHost.exe`; utilization of **Hell's Gate** technique.
## Response Actions
- Containment: Actions were implicitly focused on identifying and removing the deployed malware families (ThreatNeedle, SIGNBT, etc.).
- Eradication Steps: Removing all instances of the Lazarus Group toolsets from the compromised hosts.
- Recovery Actions: Applying the patch released for the zero-day vulnerability discovered in the **Innorix Agent**.
## Lessons Learned
- The Lazarus Group demonstrates specialized knowledge of South Korean IT infrastructure, specifically targeting prevalent security/signing software like Cross EX and Innorix Agent.
- Attack chains are multi-phased, starting with web compromise and escalating to in-depth system exploitation for persistence.
- Attackers are actively enhancing communication protocols and obfuscation techniques (Hell's Gate) to minimize detection.
## Recommendations
- Organizations utilizing software prevalent in the South Korean ecosystem (e.g., Cross EX, Innorix Agent) must immediately verify the security posture and apply all available patches, treating these unique local tools as high-risk supply chain components.
- Enhance network monitoring for signs of process injection (e.g., shellcode execution within common system processes like `SyncHost.exe`).
- Implement robust endpoint detection and response (EDR) capable of detecting obfuscation techniques like Hell's Gate used during payload execution.