VPN update flaw produces malware

North Korea and South Korea have been at odds for some time, it seems.

I said this in a room on Clubhouse, that the Koreas, China and Russia are somewhat concerning, because they are known to cause havoc with no regards to privacy.

In this particular article we’re linking to today, we’re talking about North Korea and their hackers exploiting a VPN to give people malware.

The two threat groups implicated in this activity are Kimsuky (APT43) and Andariel (APT45), state-sponsored actors previously linked to the notorious Lazarus Group.

The article continues:

In the first case highlighted in the advisory, dated January 2024, Kimsuky compromised the website of a South Korean construction trade organization to disseminate malware to visitors.

According to a February report by ASEC, when employees attempted to log into the organization’s website, they were prompted to install required security software called “NX_PRNMAN” or “TrustPKI.”

To make matters worse,

When the trojanized software was installed, the malware was also deployed to capture screenshots, steal data stored in browsers (credentials, cookies, bookmarks, history), and steal GPKI certificates, SSH keys, Sticky Notes, and FileZilla data.

Further down, it says:

“In April 2024, the Andariel hacking group exploited vulnerabilities in domestic security software (VPN and server security) to replace update files with malware, distributing remote control malware named “DoraRAT” to construction and machinery companies,” explains a machine-translated version of the NCSC advisory.

here is more about this Rat, (remote access trojan) in the article titled North Korean hackers exploit VPN update flaw to install malware if you want to read the full piece.

Have fun with this one!