North Korean Hackers Leverage VPN Flaws to Spread Malware

State-backed North Korean hackers have recently managed to exploit vulnerabilities in VPN software updates to spread malware.

North Korean Hackers Pushed Malware Through Fake Updates

According to a South Korea National Cyber Security Center (NCSC) security advisory, threat actors weaponized the flaw to breach networks and distribute malware on affected systems.

The malicious campaign is believed to be tied to a national initiative North Korean President Kim Jong-un announced in January 2023 to modernize factories nationwide. Security experts suspect that perpetrators aim to steal trade secrets from South Korea.

Threat Actors Tied to Infamous Lazarus Group

Kimsuky (APT43) and Andariel (APT45), both state-sponsored threat groups previously associated with the notorious Lazarus Group, are reportedly involved in the recent malicious campaign.

The NCSC warns that these groups, operating under North Korea’s Reconnaissance General Bureau, are notably targeting the same sector at once for specific governmental aims, an unprecedented approach.

Compromised Construction Website Pushing Malware to Visitors

In one of the incidents, reported in January 2024, threat actors compromised a South Korean construction trade organization’s website, leveraging it to spread malware to visitors.

Perpetrators tricked employees into downloading and installing malware on the systems by prompting them with fake security updates, named "NX_PRNMAN" or "TrustPKI," upon attempting to log into the site.

To make matters worse, the malicious installers bore legitimate signatures from a Korean defense company, circumventing antivirus detection.

Once deployed, the malware would execute several nefarious activities, such as capturing screenshots, stealing sensitive data from web browsers and pilfering GPKI certificates, SSH keys, and other data from apps like Sticky Notes and FileZilla.

Spreading Malware Through Fake VPN Software Updates

In a second incident, the Andariel group exploited a vulnerability in a local VPN software’s communication protocol to enable the distribution of fake software updates, covertly installing the DoraRAT malware on compromised systems.

Perpetrators leveraged the trojan to steal large files, including ones that detailed machinery and equipment designs, and exfiltrate them to a remote command and control (C2) server.

Protecting Against Trojans, Fake Updates, and Other Intrusions

Specialized software like Bitdefender Ultimate Security can protect systems against trojans, fake updates, and other digital intrusions. It accurately detects and protects against viruses, worms, Trojans, spyware, ransomware, zero-day exploits and rootkits.

Furthermore, it encompasses an extensive range of advanced features, including network threat prevention, behavioral detection technology, and web attack prevention modules.