North Korea-linked Lazarus APT group has targeted the defense industry with the custom-backdoor dubbed ThreatNeedle since 2020.
North Korea-linked Lazarus APT group has targeted the defense industry with the backdoor dubbed ThreatNeedle since early 2020.
The state-sponsored hackers targeted organizations from more than a dozen countries.
The experts discovered the custom backdoor while investigating an incident, it was used by attackers for lateral movements and data exfiation.
The attack chain starts with COVID19-themed spear-phishing messages that contain either a malicious Word attachment or a link to one hosted on company servers.
“Once the malicious document is opened, the malware is dropped and proceeds to the next stage of the deployment process. The ThreatNeedle malware used in this campaign belongs to a malware family known as Manuscrypt, which belongs to the Lazarus group and has previously been seen attacking cryptocurrency businesses.” reads the press release published by Kaspersky. “Once installed, ThreatNeedle is able to obtain full control of the victim’s device, meaning it can do everything from manipulating files to executing received commands.”
ThreatNeedle attempt to exfiate sensitive data from the infected networks through SSH tunnels to a remote server located in South Korea. Attackers employed a custom tunneling tool to achieve this, it forwards client traffic to the server, the malware encrypts the traffic using trivial binary encryption.
The backdoor is able to bypass network segmentation and access restricted networks.
“After gaining an initial foothold, the attackers gathered credentials and moved laterally, seeking crucial assets in the victim environment.” states the report published by Kaspersky. “We observed how they overcame network segmentation by gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiate stolen data from the intranet network to their remote server. So far organizations in more than a dozen countries have been affected.”
The malware was able to steal data from both office IT networks and a restricted network (one containing mission-critical assets and computers with highly sensitive data and no internet access).
Kaspersky pointed out that despite no information is supposed to be transferred between the above networks administrators could connect to both networks to maintain these systems.
Lazarus hackers were able to gain control of administrator workstations and then set up a malicious gateway to find the way to the restricted network and to steal and extract confidential data from there.
“According to the evidence collected, the attackers scanned the router’s ports and detected a Webmin interface. Next, the attackers logged in to the web interface using a privileged root account. It’s unknown how the attackers were able to obtain the credentials for that account, but it’s possible the credentials were saved in one of the infected system’s browser password managers.” reads the report published by the experts. “By gaining access to the configuration panel the attackers configured the Apache web server and started using the router as a proxy server between the organization’s corporate and restricted segments.”
The activity of the Lazarus APT group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.