Full Report
Kaspersky GReAT experts uncovered a new campaign by Lazarus APT that exploits vulnerabilities in South Korean software products and uses a watering hole approach.
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
- **Threat Actor:** Lazarus Group (APT)
- **Associated Groups/Aliases:** None explicitly mentioned in relation to this campaign, though the article notes exploited software (Innorix Agent) was previously abused by the Andariel group.
## Activity Summary
The Lazarus group is conducting a sophisticated attack campaign dubbed **"Operation SyncHole"** since November [of the previous year, 2024], targeting organizations in South Korea. The operation centers on using a **watering hole strategy combined with the exploitation of vulnerabilities** present in crucial South Korean security software required for banking and government access. The campaign impacted at least six organizations across the software, IT, financial, semiconductor manufacturing, and telecommunications sectors. The activity was concentrated between November 2024 and February 2025.
## Tactics, Techniques & Procedures
- **Initial Access/Exploitation:** Used a watering hole attack strategy. Exploited vulnerabilities in legitimate South Korean software (specifically mentioned: Cross EX and Innorix Agent) to gain initial access.
- **Lateral Movement:** Exploited a one-day vulnerability in **Innorix Agent** (version 9.2.18.450 and earlier, and later version 9.2.18.496 attempted exploitation) for lateral movement.
- **Execution:** Malware was found running in the memory of a legitimate process (`SyncHost.exe`) as a subprocess of the legitimate South Korean software, **Cross EX**.
- **Privilege Escalation:** Attackers likely escalated privileges during exploitation, as observed processes often ran with a high integrity level.
- **Defense Evasion:** Used fileless techniques, injecting malware into the memory of a legitimate process.
## Targeting
- **Sectors:** Software, IT, Financial, Semiconductor manufacturing, and Telecommunications.
- **Geography:** South Korea.
- **Victims:** At least six South Korean organizations. Specific names not provided.
## Tools & Infrastructure
- **Malware Families Used (Variants discovered):**
- ThreatNeedle (Flagship backdoor)
- Agamemnon downloader
- wAgent
- SIGNBT
- COPPERHEDGE
- **Infrastructure/Exploited Software:**
- Vulnerabilities in **Cross EX** software.
- Vulnerabilities exploited in **Innorix Agent** software.
- Used legitimate process abuse (`SyncHost.exe`).
## Implications
Lazarus demonstrates a strong, tailored understanding of the South Korean cybersecurity ecosystem, specifically targeting necessary security software often running in the background with user-level privileges. The rapid development of custom exploits (including discovering a zero-day in Innorix Agent) to maintain persistence and streamline operations highlights a mature and adaptive adversary. Remediation efforts have been successful, as exploited software versions have reportedly been patched.
## Mitigations
- Ensure all regional security software components (especially those required for banking/government access like Cross EX and Innorix Agent) are immediately updated to patched versions.
- Enhance process monitoring to detect memory injection into legitimate system processes (e.g., `SyncHost.exe`).
- Implement proactive hunting for known Lazarus malware variants (ThreatNeedle, etc.).
- Review endpoint visibility to detect privilege escalation attempts originating from user-level applications.