sb-au logo
Story image

Kaspersky discovers COVID-19 research related cyber threats

Kaspersky researchers have identified two APT incidents that targeted entities related to COVID-19 research - a Ministry of Health body and a pharmaceutical company.

Kaspersky experts assessed with high confidence that the activities can be attributed to the Lazarus group.

As the COVID-19 pandemic and restrictive measures across the world continue, many parties involved are trying to speed up vaccine development by any means available.

While most of the work is well intentioned, there is another side to this coin as some threat actors are trying to capitalise on this for their own gain, the Kaspersky researchers state.

The two incidents in detail

As they continue to track the Lazarus group’s ongoing campaigns targeting various industries, Kaspersky experts have discovered that the actor went after COVID-19-related entities a couple of months ago.

Namely, two incidents were identified. The first one was an attack against a Ministry of Health body. Two Windows servers in the organisation were compromised with sophisticated malware on October 27, 2020.

The malware used is known by Kaspersky, named ‘wAgent’. Closer analysis has shown that the wAgent malware used against the Ministry of Health has the same infection scheme as the malware Lazarus group previously used in attacks on cryptocurrency businesses.

The second incident involved a pharmaceutical company. According to Kaspersky telemetry, the company was breached on September 25, 2020.

This company is developing a COVID-19 vaccine and is also authorised to produce and distribute it.

This time, the attacker deployed the Bookcode malware, previously reported by security vendor to be connected to Lazarus, in a supply chain attack through a South Korean software company.

Attacks attributed to the Lazarus group

Kaspersky researchers also witnessed Lazarus group carry out spear-phishing or strategically compromise websites in order to deliver Bookcode malware in the past.

Both wAgent and Bookcode malware, used in both attacks, have similar functionalities, such as a full-featured backdoor.

After deploying the final payload, the malware operator can control a victim’s machine in nearly any manner they wish, the experts state.

Given the noted overlaps, Kaspersky researchers confirm with high confidence that both incidents are connected to the Lazarus group.

The research is still ongoing.

Kaspersky security expert Seongsu Park says,  “These two incidents reveal Lazarus group’s interest in intelligence related to COVID-19. While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well.

"We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyber attacks."

Take care of your staff and organisation

Kaspersky experts state businesses should look for products that detect the wAgent malware as HEUR:Trojan.Win32.Manuscrypt.gen and Trojan.Win64.Manuscrypt.bx. The Bookcode malware is detected as Trojan.Win64.Manuscrypt.ce.

To stay safe from sophisticated threats, Kaspersky recommends taking the following security measures:

  • Provide your SOC team with access to the latest threat intelligence (TI).
  • Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques.
  • Use a threat engine that matches a discovered malicious code against malware databases, and, based on the code similarities, attributes it to previously revealed APT campaigns.
  • For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions.
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage.
Story image
Microsoft Exchange breach a wake-up call to ditch the server
"There are owners who still have in-house exchange servers because they are suspicious of the cloud or have concerns about their data sovereignty or don't want to contemplate the capital expenditure. But the warning is clear. Get rid of them."More
Story image
Gigamon & FireEye tackle security in hybrid cloud environments
The partnership is an extension to a ‘long-standing’ relationship that aims to ‘simplify, secure, and optimise hybrid cloud environments’.More
Story image
Software-based facial recognition in payments industry to dominate by 2025
There will be more than 1.4 billion users of facial recognition software used for payments alone in 2025, up from 671 million in 2020.More
Story image
Attivo Networks expands Active Directory suite for greater protection
"We see Active Directory exploitation used in the majority of ransomware, insider and advanced attacks. We are pleased to now offer our customers early and efficient solutions for preventing the misuse of Active Directory.”More
Story image
Video: 10 Minute IT Jams - Radware VP on the challenges of cloud security
In this interview, Techday speaks to Radware vice president of technologies Yaniv Hoffman, who discusses the primary challenges facing IT organisations in terms of their cloud security apparatus.More
Story image
Kroll completes Redscan acquisition, expands cyber risk portfolio
With the addition of Redscan and its extended detection and response (XDR) enabled security operations centre (SOC) platform, Kroll expands its Kroll Responder capabilities to support a wider array of cloud and on-premise telemetry sources.More