North Korea-linked Lazarus APT group has targeted the defense industry with the backdoor dubbed ThreatNeedle since early 2020.
The state-sponsored hackers targeted organizations from more than a dozen countries.
The experts discovered the custom backdoor while investigating an incident, it was used by attackers for lateral movements and data exfiltration.
The attack chain starts with COVID19-themed spear-phishing messages that contain either a malicious Word attachment or a link to one hosted on company servers.
“Once the malicious document is opened, the malware is dropped and proceeds to the next stage of the deployment process. The ThreatNeedle malware used in this campaign belongs to a malware family known as Manuscrypt, which belongs to the Lazarus group and has previously been seen attacking cryptocurrency businesses.” reads the press release published by Kaspersky. “Once installed, ThreatNeedle is able to obtain full control of the victim’s device, meaning it can do everything from manipulating files to executing received commands.”
ThreatNeedle attempt to exfiltrate sensitive data from the infected networks through SSH tunnels to a remote server located in South Korea. Attackers employed a custom tunneling tool to achieve this, it forwards client traffic to the server, the malware encrypts the traffic using trivial binary encryption.
The backdoor is able to bypass network segmentation and access restricted networks.
“After gaining an initial foothold, the attackers gathered credentials and moved laterally, seeking crucial assets in the victim environment.” states the report published by Kaspersky. “We observed how they overcame network segmentation by gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the intranet network to their remote server. So far organizations in more than a dozen countries have been affected.”
The malware was able to steal data from both office IT networks and a restricted network (one containing mission-critical assets and computers with highly sensitive data and no internet access).
Kaspersky pointed out that despite no information is supposed to be transferred between the above networks administrators could connect to both networks to maintain these systems.
Lazarus hackers were able to gain control of administrator workstations and then set up a malicious gateway to find the way to the restricted network and to steal and extract confidential data from there.
“According to the evidence collected, the attackers scanned the router’s ports and detected a Webmin interface. Next, the attackers logged in to the web interface using a privileged root account. It’s unknown how the attackers were able to obtain the credentials for that account, but it’s possible the credentials were saved in one of the infected system’s browser password managers.” reads the report published by the experts. “By gaining access to the configuration panel the attackers configured the Apache web server and started using the router as a proxy server between the organization’s corporate and restricted segments.”
The activity of the Lazarus APT group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.
According to a report published by Kaspersky Lab in January 2020, in the two years the North Korea-linked APT group has continued to target cryptocurrency exchanges evolving its TTPs.
In December, the North Korea-linked Lazarus APT group has launched cyberattacks against at least two organizations involved in COVID-19 research.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Lazarus)