Lazarus APT Group Strikes Again with Operation SyncHole

Summary

CRIL came across a blog published by Kaspersky detailing a Lazarus group campaign dubbed "Operation SyncHole" active since November 2024. The attackers used a watering hole strategy combined with vulnerability exploitation to target at least six South Korean organizations across the software, IT, financial, semiconductor, and telecom sectors. Key vulnerabilities were found in popular South Korean software like Cross EX and Innorix Agent, which were exploited for initial access and lateral movement. Immediate notification to the Korea Internet & Security Agency (KrCERT/CC) helped ensure rapid patching of these vulnerabilities.

The campaign involved updated variants of known Lazarus tools such as ThreatNeedle, Agamemnon downloader, wAgent, SIGNBT, and COPPERHEDGE. Attackers showed a deep understanding of the South Korean internet environment, particularly mandatory security software for banking and government sites. Malware was injected into legitimate processes like SyncHost.exe, often executed with elevated privileges after exploiting software flaws. Overall, the attack highlights Lazarus’ persistent focus on South Korea through tailored strategies leveraging local software weaknesses.

Technical Analysis

The Lazarus group initiated the attack when users visited compromised South Korean online media sites. After visiting one specific site, systems were infected with the ThreatNeedle malware. Analysis showed these compromised machines communicated with suspicious IPs hosting fake car rental websites built using public HTML templates. One such domain, www.smartmanagerex[.]com, impersonated legitimate software related to Cross EX.

• Lazarus filtered website visitors with a server-side script, redirecting selected victims to an attacker-controlled site.

• A malicious script likely exploited vulnerabilities in the Cross EX software, executing malware via legitimate SyncHost.exe processes.

The operation unfolded in two phases: initially using ThreatNeedle and wAgent malware, then shifting to updated strains like SIGNBT and COPPERHEDGE. Analysts uncovered four distinct execution chains affecting at least six South Korean organizations.

ThreatNeedle Variant

The ThreatNeedle variant observed in this campaign was split into two components: a Loader and a Core module. The malware used encryption based on the Curve25519 algorithm, combined with ChaCha20 for secure communications. To achieve persistence, it stealthily integrates into legitimate Windows services, such as netsvcs and IKEEXT.

LPEClient

LPEClient, a tool designed for victim profiling and payload delivery, was used alongside ThreatNeedle in this phase. Unlike in previous operations, SIGNBT did not deploy LPEClient during this campaign, indicating a targeted use alongside ThreatNeedle.

wAgent Variant

The variant of wAgent discovered was disguised as a legitimate file (liblzma.dll) and relied on AES128-CBC decryption to activate its payloads. It communicated with command-and-control (C2) servers using either JSON or form-data formats. Notably, this variant utilized the GNU Multiple Precision (GMP) library for RSA encryption tasks — a first for Lazarus malware

Agamemnon Downloader

The Agamemnon downloader played a crucial role in pulling additional payloads from the C2 servers. It employed reflective loading techniques and introduced Tartarus-TpAllocInject, an advanced method designed to bypass security products, showing a level of sophistication not previously observed in Lazarus operations.

Innorix Agent Exploit

For lateral movement, Lazarus exploited a vulnerability in the South Korean-developed Innorix Agent software, specifically version 9.2.18.496. The attackers leveraged insecure file download functionalities within the software to spread malware across internal corporate networks. This lateral movement technique involved sideloading malicious DLLs to execute ThreatNeedle and LPEClient on additional machines.

The Lazarus group has advanced its malware by emphasizing modularity, lightweight design, and asymmetric encryption. Tools like ThreatNeedle, wAgent, and SIGNBT now support dynamic plugin loading for greater flexibility. Post-exploitation, they conducted system reconnaissance, created malicious services for persistence, and attempted lateral movement, with operator errors hinting at manual involvement. Lazarus used compromised South Korean websites and rented servers for C2 communications, also re-registering expired domains to better blend malicious traffic with legitimate activity.

SIGNBT Variants

In the second phase, Lazarus deployed SIGNBT versions 0.0.1 and 1.2. SIGNBT 0.0.1 acted as the initial implant via SyncHost.exe, while 1.2 focused on fetching additional payloads with limited remote control. Communications were secured using a combination of RSA and AES encryption.

COPPERHEDGE Variant

The COPPERHEDGE malware, a Manuscrypt variant, was used for internal reconnaissance. It pulled configuration data from hidden alternate data streams (ADS) and communicated with C2 servers using randomized HTTP parameters for added stealth

The Lazarus group has advanced its malware by emphasizing modularity, lightweight design, and asymmetric encryption. Tools like ThreatNeedle, wAgent, and SIGNBT now support dynamic plugin loading for greater flexibility. Post-exploitation, they conducted system reconnaissance, created malicious services for persistence, and attempted lateral movement, with operator errors hinting at manual involvement. Lazarus used compromised South Korean websites and rented servers for C2 communications, also re-registering expired domains to better blend malicious traffic with legitimate activity.

Recommendations

• Regularly audit and monitor software vendors for vulnerabilities, especially those critical to government and financial sectors. Implement code signing and integrity checks to ensure the authenticity of third-party software and updates.

• Deploy advanced EDR solutions to continuously monitor network traffic and endpoints for unusual behavior, including command-and-control communication patterns. This can help identify malware activity early and reduce the impact of an attack.

• Ensure that all software, particularly third-party applications, is up to date with the latest security patches. Attackers often exploit known vulnerabilities in outdated software, so timely updates are critical in preventing successful breaches.

Conclusion

The Lazarus group has a history of exploiting supply chains in South Korea, targeting software critical for online banking and government services. Their approach is consistent, using cascading supply chain attacks to compromise software from local vendors. They continue to evolve their malware and tactics to avoid detection, making it challenging to defend against. However, with timely detection and quick responses, it's possible to mitigate the damage.