A prolific North Korean state-sponsored hacking group has been tied to a brand new ongoing espionage marketing campaign geared toward exfiltrating delicate data from organizations within the protection business.
Attributing the assaults with excessive confidence to the Lazarus Group, the brand new findings from Kaspersky sign an enlargement of the APT actor’s techniques by going past the same old gamut of financially-motivated crimes to fund the cash-strapped regime.
This broadening of its strategic pursuits occurred in early 2020 by leveraging a device known as ThreatNeedle, researchers Vyacheslav Kopeytsev and Seongsu Park stated in a Thursday write-up.
At a excessive degree, the marketing campaign leverages a multi-step method that begins with a fastidiously crafted spear-phishing assault main finally to the attackers gaining distant management over the units.
ThreatNeedle is delivered to targets by way of COVID-themed emails with malicious Microsoft Phrase attachments as preliminary an infection vectors that, when opened, run a macro containing malicious code designed to obtain and execute further payloads on the contaminated system.
The subsequent-stage malware features by embedding its malicious capabilities inside a Home windows backdoor that provides options for preliminary reconnaissance and deploying malware for lateral motion and knowledge exfiltration.
“As soon as put in, ThreatNeedle is ready to receive full management of the sufferer’s gadget, which means it could actually do all the pieces from manipulating information to executing obtained instructions,” Kaspersky safety researchers said.
Kaspersky discovered overlaps between ThreatNeedle and one other malware household known as Manuscrypt that has been utilized by Lazarus Group in earlier hacking campaigns towards the cryptocurrency and cell video games industries, apart from uncovering connections with different Lazarus clusters comparable to AppleJeus, DeathNote, and Bookcode.
Curiously, Manuscrypt was additionally deployed in a Lazarus Group operation final month, which concerned targeting the cybersecurity community with alternatives to collaborate on vulnerability analysis, solely to contaminate victims with malware that might trigger the theft of exploits developed by the researchers for probably undisclosed vulnerabilities, thereby utilizing them to stage additional assaults on susceptible targets of their selection.
Maybe probably the most regarding of the event is a method adopted by the attackers to bypass community segmentation protections in an unnamed enterprise community by “getting access to an inner router machine and configuring it as a proxy server, permitting them to exfiltrate stolen knowledge from the intranet community to their distant server.”
The cybersecurity agency stated organizations in additional than a dozen international locations have been affected to this point.
At the very least one of many spear-phishing emails referenced within the report is written in Russian, whereas one other message got here with a malicious file attachment named “Boeing_AERO_GS.docx,” probably implying a U.S. goal.
Earlier this month, three North Korean hackers related to the navy intelligence division of North Korea have been indicted by the U.S. Justice Department for allegedly participating in a prison conspiracy that tried to extort $1.3 billion in cryptocurrency and money from banks and different organizations world wide.
“Lately, the Lazarus group has targeted on attacking monetary establishments world wide,” the researchers concluded. “Nevertheless, starting in early 2020, they targeted on aggressively attacking the protection business.”
“Whereas Lazarus has additionally beforehand utilized the ThreatNeedle malware used on this assault when concentrating on cryptocurrency companies, it’s at present being actively utilized in cyberespionage assaults.”