North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware

  • A prolific North Korean condition-sponsored hacking team has been tied to a new ongoing espionage marketing campaign aimed at exfiltrating sensitive facts from businesses in the defense field.

    Attributing the attacks with higher self esteem to the Lazarus Group, the new results from Kaspersky sign an growth of the APT actor’s strategies by going outside of the usual gamut of monetarily-motivated crimes to fund the money-strapped routine.

    This broadening of its strategic passions happened in early 2020 by leveraging a instrument known as ThreatNeedle, scientists Vyacheslav Kopeytsev and Seongsu Park mentioned in a Thursday write-up.

    At a superior amount, the marketing campaign leverages a multi-step approach that commences with a meticulously crafted spear-phishing attack top sooner or later to the attackers getting remote control over the gadgets.

    ThreatNeedle is shipped to targets by means of COVID-themed emails with malicious Microsoft Word attachments as original infection vectors that, when opened, operate a macro made up of destructive code developed to download and execute added payloads on the contaminated process.

    The upcoming-stage malware capabilities by embedding its destructive abilities within a Windows backdoor that gives functions for initial reconnaissance and deploying malware for lateral motion and details exfiltration.

    “As soon as mounted, ThreatNeedle is in a position to obtain whole regulate of the victim’s system, meaning it can do every little thing from manipulating information to executing gained commands,” Kaspersky security scientists reported.

    Kaspersky found overlaps amongst ThreatNeedle and an additional malware loved ones named Manuscrypt that has been utilized by Lazarus Team in past hacking strategies versus the cryptocurrency and cell games industries, in addition to uncovering connections with other Lazarus clusters these as AppleJeus, DeathNote, and Bookcode.

    Interestingly, Manuscrypt was also deployed in a Lazarus Team operation last month, which associated focusing on the cybersecurity neighborhood with alternatives to collaborate on vulnerability research, only to infect victims with malware that could trigger the theft of exploits formulated by the scientists for probably undisclosed vulnerabilities, thus applying them to stage more attacks on susceptible targets of their option.

    Possibly the most relating to of the advancement is a procedure adopted by the attackers to bypass network segmentation protections in an unnamed organization network by “getting access to an interior router machine and configuring it as a proxy server, allowing for them to exfiltrate stolen knowledge from the intranet network to their remote server.”

    The cybersecurity organization said companies in extra than a dozen nations have been influenced to date.

    At least a single of the spear-phishing e-mail referenced in the report is published in Russian, whilst a different concept arrived with a destructive file attachment named “Boeing_AERO_GS.docx,” possibly implying a U.S. focus on.

    Earlier this month, a few North Korean hackers associated with the army intelligence division of North Korea had been indicted by the U.S. Justice Section for allegedly getting section in a felony conspiracy that tried to extort $1.3 billion in cryptocurrency and cash from banking institutions and other organizations about the environment.

    “In modern decades, the Lazarus team has concentrated on attacking financial establishments all around the globe,” the researchers concluded. “However, commencing in early 2020, they concentrated on aggressively attacking the protection field.”

    “Whilst Lazarus has also previously utilized the ThreatNeedle malware utilised in this attack when targeting cryptocurrency firms, it is at the moment getting actively employed in cyberespionage attacks.”

    Observed this short article intriguing? Adhere to THN on Facebook, Twitter  and LinkedIn to study a lot more exceptional content we submit.