In May and October of 2022, the North Korea-linked Lazarus Group weaponized flaws in an undisclosed software to breach a financial business entity in South Korea. The first attack exploited a vulnerable version of a certificate software that's widely used by public institutions and universities, while the second attack involved the exploitation of a zero-day in the same program.
Cybersecurity firm AhnLab Security Emergency Response Center (ASEC) said it's refraining from mentioning the software owing to the fact that "the vulnerability has not been fully verified yet and a software patch has not been released." The adversarial collective, after obtaining an initial foothold by an unknown method, abused the zero-day bug to perform lateral movement, shortly after which the AhnLab V3 anti-malware engine was disabled via a BYOVD attack.
The Bring Your Own Vulnerable Driver, or BYOVD, technique has been repeatedly employed by the Lazarus Group in recent months, as documented by both ESET and AhnLab in a series of reports late last year. Among other steps to conceal its malicious behavior, the Lazarus Group has been known to change file names before deleting them and modify timestamps using an anti-forensic technique referred to as timestomping.