North Korean Hackers Concentrating on Protection Corporations with ThreatNeedle Malware

A prolific North Korean state-sponsored hacking group has been tied to a brand new ongoing espionage marketing campaign aimed toward exfiltrating delicate data from organizations within the protection trade.

Attributing the assaults with excessive confidence to the Lazarus Group, the brand new findings from Kaspersky sign an enlargement of the APT actor’s techniques by going past the same old gamut of financially-motivated crimes to fund the cash-strapped regime.

This broadening of its strategic pursuits occurred in early 2020 by leveraging a device known as ThreatNeedle, researchers Vyacheslav Kopeytsev and Seongsu Park mentioned in a Thursday write-up.

At a excessive degree, the marketing campaign leverages a multi-step method that begins with a rigorously crafted spear-phishing assault main finally to the attackers gaining distant management over the gadgets.

ThreatNeedle is delivered to targets through COVID-themed emails with malicious Microsoft Phrase attachments as preliminary an infection vectors that, when opened, run a macro containing malicious code designed to obtain and execute further payloads on the contaminated system.

The subsequent-stage malware features by embedding its malicious capabilities inside a Home windows backdoor that provides options for preliminary reconnaissance and deploying malware for lateral motion and information exfiltration.

“As soon as put in, ThreatNeedle is ready to acquire full management of the sufferer’s gadget, that means it will possibly do every little thing from manipulating information to executing obtained instructions,” Kaspersky safety researchers said.

Kaspersky discovered overlaps between ThreatNeedle and one other malware household known as Manuscrypt that has been utilized by Lazarus Group in earlier hacking campaigns towards the cryptocurrency and cell video games industries, moreover uncovering connections with different Lazarus clusters akin to AppleJeus, DeathNote, and Bookcode.

North Korean Hacker

Apparently, Manuscrypt was additionally deployed in a Lazarus Group operation final month, which concerned targeting the cybersecurity community with alternatives to collaborate on vulnerability analysis, solely to contaminate victims with malware that would trigger the theft of exploits developed by the researchers for probably undisclosed vulnerabilities, thereby utilizing them to stage additional assaults on weak targets of their alternative.

Maybe probably the most regarding of the event is a way adopted by the attackers to bypass community segmentation protections in an unnamed enterprise community by “getting access to an inner router machine and configuring it as a proxy server, permitting them to exfiltrate stolen information from the intranet community to their distant server.”

The cybersecurity agency mentioned organizations in additional than a dozen nations have been affected thus far.

At the least one of many spear-phishing emails referenced within the report is written in Russian, whereas one other message got here with a malicious file attachment named “Boeing_AERO_GS.docx,” probably implying a U.S. goal.

Earlier this month, three North Korean hackers related to the navy intelligence division of North Korea have been indicted by the U.S. Justice Department for allegedly participating in a prison conspiracy that tried to extort $1.three billion in cryptocurrency and money from banks and different organizations around the globe.

“Lately, the Lazarus group has targeted on attacking monetary establishments around the globe,” the researchers concluded. “Nevertheless, starting in early 2020, they targeted on aggressively attacking the protection trade.”

“Whereas Lazarus has additionally beforehand utilized the ThreatNeedle malware used on this assault when focusing on cryptocurrency companies, it’s presently being actively utilized in cyberespionage assaults.”