WizVera

#VeraPort • 2020-11

🇰🇷 Korea, Republic of

Lazarus abused the WIZVERA VeraPort software distribution workflow used by South Korean government and banking sites, compromising supported websites and replacing legitimate bundled installers with malware. The attack relied on VeraPort accepting any valid code-signing certificate rather than verifying signer identity, with observed Delfino.exe and MagicLineNPIZ.exe samples masquerading as South Korean security software and signed with certificates issued to ALEXIS SECURITY GROUP and DREAM SECURITY USA.

Related Actors

Related Reports

2023-10-04
ESET
#DreamJob #Inception #MagicLine4NX #3CXDesktopApp #CrossWebEX #VeraPort #DangerousPassword
2021-02-28
PWC
#AppleSeed #BlackBanshee #BlackArtemis #VeraPort #ShowState #BlackShoggoth #T1082 #T1140 #T1005 #T1070.004 #T1041 #T1083 #T1056.001 #T1036 #T1027 #T1071 #T1204 #T1057 #T1547.001 #T1566 #T1059 #T1195 #T1490 #T1486 #T1489 #T1133 #T1068 #T1221 #T1187
2020-11-18
KRCERT
#VeraPort
2020-11-16
ESET
#BookCodes #SupplyChain #MagicLine4NX #VeraPort #Lazarus #T1584.004 #T1587.001 #T1041 #T1071.001 #T1195.002 #T1036 #T1055 #T1553.002 #T1027.002 #T1573.001 #T1588.003 #T1106 #T1547.005
« Back