Lazarus group was spotted exploiting flaws in unnamed software to gain access to a South Korean finance firm twice last year.\u00a0The North Korea-linked group had infiltrated the affected company in May 2022 and again in October through the same software\u2019s zero-day vulnerability, according to a research by AhnLab Security Emergency Response Center (ASEC).\u00a0ASEC reported the software in question to the Korean Internet and Security Agency since the vulnerability has not been fully verified yet and a software patch has not been released. The report therefore does not name the affected software.\u00a0During the infiltration in May 2022, the affected financial company was using a vulnerable version of a certificate program that was commonly used by public institutions and universities. After the incident, the company updated all their software to the latest versions. However, the Lazarus group used the same software\u2019s zero-day vulnerability to carry out their infiltration the second time, ASEC said in its research.\u00a0BYOVD attack\u00a0To disable security products on infected machines and to exploit the software\u2019s vulnerable driver kernel modules, the Lazarus group used the Bring Your Own Vulnerable Driver (BYOVD) technique.In BYOVD attacks, threat actors use legitimately signed, but vulnerable, drivers to perform malicious actions on systems. The attacker can use the vulnerabilities in the drivers to execute malicious actions with kernel-level privileges.The zero-day vulnerability that was exploited by the threat actors was of a certificate software that is commonly used in Korea.\u00a0\u201cSince these types of software are not updated automatically, they must be manually patched to the latest version or deleted if unused,\u201d ASEC said in the research.\u00a0To further conceal malicious activities the Lazarus group either changed file names before deleting them or modified timestamps using an anti-forensic technique, ASEC said in its research.The attack resulted in multiple backdoor payloads being installed into the infect systems that connected to remote command-and-control servers and retrieved additional binaries that could be executed.\u201cInstead of taking only post-attack measures, continuous monitoring is required to prevent recurrences,\u201d ASEC said in the research.Activities of Lazarus group\u00a0The Lazarus group has been active since 2009 and is a North Korean state-sponsored threat group that has been attributed to the Reconnaissance General Bureau\u2014North Korea\u2019s intelligence agency. The most notable attacks by the group include the 2014 attack against Sony Pictures Entertainment, wherein the group deployed the \u201cwiper\u201d to delete sensitive company data. In a\u00a02016 attack, the group stole millions of dollars from Bangladesh\u2019s central bank.The group has been seen targeting the cryptocurrency sector as well in recent times. Earlier this week, the FBI confirmed that the Lazarus group was responsible for Harmony Horizon Bridge currency theft. Harmony Horizon had reported a theft of $100 million of virtual currency in June 2022.The group, which is being tracked by several security researchers, has been updating several tactics, techniques and procedures as well as introducing new payloads. Last month, a payload of the Wslink downloader named WinorDLL64 was attributed to the Lazarus group by ESET researchers.\u00a0This payload can be used to carry out file manipulation, execution of further code, and obtain extensive information about the underlying system that can be leveraged later for lateral movement.The group is also known to have targeted various Korean companies related to national defense, satellites, software, and press in the last two years, according to ASEC.\u201cThe Lazarus group is researching the vulnerabilities of various other software and are constantly changing their TTPs by altering the way they disable security products and carry out anti-forensic techniques to interfere or delay detection and analysis in order to infiltrate Korean institutions and companies,\u201d the ASEC report said.