VeraPort websites delivered Lazarus malware
Lazarus abused compromised South Korean websites that supported WIZVERA VeraPort. Signed impostor installers were delivered through a trusted security-software workflow.
Story
VeraPort is an integration installer used by South Korean government and banking websites to install required browser plug-ins, identity software, and security tools. That made it a trusted distribution path, often with little user interaction once the user visited a supported site.
ESET did not report a compromise of WIZVERA's own infrastructure. The attack depended on compromised websites that already supported VeraPort, plus VeraPort configuration choices that let software be replaced if it carried a valid digital signature. Lazarus supplied signed malware that looked like legitimate South Korean security software.
The delivered files used names such as Delfino.exe and MagicLineNPIZ.exe, with stolen or illegally obtained certificates from ALEXIS SECURITY GROUP and DREAM SECURITY USA. VeraPort validated the signature, but in vulnerable configurations it did not bind the download to an expected publisher or hash.
This remains in scope as an edge case because a legitimate, required software installation mechanism delivered attacker-controlled binaries from compromised official websites. The record names the trust path carefully: VeraPort was abused as the installer channel; the compromised distribution points were the VeraPort-enabled sites.
Affected Artifacts
- Observed
- 2020-11-16 to 2020-11-18
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- sha1:3d311117d09f4a6ad300e471c2fb2b3c63344b1d
- Evidence
- certificate_subject: ALEXIS SECURITY GROUP, LLC, observable: Camouflaged as legitimate South Korean software delivered via VeraPort.
- Observed
- 2020-11-16 to 2020-11-18
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- sha1:3abfec6fc3445759730789d4322b0be73dc695c7
- Evidence
- certificate_subject: DREAM SECURITY USA INC, observable: Camouflaged as legitimate South Korean software delivered via VeraPort.
- ESET reported this sample as one of two signed malware files delivered through the VeraPort abuse chain.
Incident Context
- Motive
- Espionage
- Attribution
- Group
- Cause
- Compromised Website
- Transitive
- No
- Actor
- Lazarus Group
Indicators
- campaignOperation BookCodes
- familyNukeSped
- fileDelfino.exe
- fileMagicLineNPIZ.exe
- fileBtserv.dll
- filebcyp655.tlb
- certificate_subjectALEXIS SECURITY GROUP, LLC
- certificate_subjectDREAM SECURITY USA INC
- path%Temp%\[12_RANDOM_DIGITS]\
- observableVeraPort configuration verified valid digital signatures but could omit publisher or hash binding.
- observableESET said the supply-chain attacks occurred at websites using VeraPort rather than at WIZVERA itself.
External References
- Lazarus supply-chain attack in South Koreawelivesecurity.com
- Lazarus misuses legitimate security software in a supply-chain attack in South Korea, ESET Research discoverseset.com
- Websites requiring security software downloads opened door to supply chain attackscworld.com
- Hacked Security Software Used in Novel South Korean Supply-Chain Attackthreatpost.com
- Trojanized Security Software Hits South Korean Users in Supply-Chain Attackthehackernews.com
Source record: proprietary/veraport/meta.yaml