A prolific North Korean state-sponsored hacking group has been tied to a brand new ongoing espionage marketing campaign aimed toward exfiltrating delicate data from organizations within the protection trade.
Attributing the assaults with excessive confidence to the Lazarus Group, the brand new findings from Kaspersky sign an enlargement of the APT actor’s ways by going past the same old gamut of financially-motivated crimes to fund the cash-strapped regime.
This broadening of its strategic pursuits occurred in early 2020 by leveraging a software known as ThreatNeedle, researchers Vyacheslav Kopeytsev and Seongsu Park stated in a Thursday write-up.
At a excessive stage, the marketing campaign takes benefit of a multi-step method that begins with a fastidiously crafted spear-phishing assault main finally to the attackers gaining distant management over the units.
ThreatNeedle is delivered to targets through COVID-themed emails with malicious Microsoft Phrase attachments as preliminary an infection vectors that, when opened, run a macro containing malicious code designed to obtain and execute extra payloads on the contaminated system.
The following-stage malware capabilities by embedding its malicious capabilities inside a Home windows backdoor that gives options for preliminary reconnaissance and deploying malware for lateral motion and knowledge exfiltration.
“As soon as put in, ThreatNeedle is ready to get hold of full management of the sufferer’s machine, that means it might do all the things from manipulating recordsdata to executing acquired instructions,” Kaspersky safety researchers said.
Kaspersky discovered overlaps between ThreatNeedle and one other malware household known as Manuscrypt that has been utilized by Lazarus Group in earlier hacking campaigns in opposition to the cryptocurrency and cell video games industries, moreover uncovering connections with different Lazarus clusters comparable to AppleJeus, DeathNote, and Bookcode.
Apparently, Manuscrypt was additionally deployed in a Lazarus Group operation final month, which concerned targeting the cybersecurity community with alternatives to collaborate on vulnerability analysis, solely to contaminate victims with malware that might trigger the theft of exploits developed by the researchers for presumably undisclosed vulnerabilities, thereby utilizing them to stage additional assaults on weak targets of their selection.
Maybe essentially the most regarding of the event is a method adopted by the attackers to bypass community segmentation protections in an unnamed enterprise community by “getting access to an inner router machine and configuring it as a proxy server, permitting them to exfiltrate stolen knowledge from the intranet community to their distant server.”
The cybersecurity agency stated organizations in additional than a dozen international locations have been affected so far.
At the least one of many spear-phishing emails referenced within the report is written in Russian, whereas one other message got here with a malicious file attachment named “Boeing_AERO_GS.docx,” presumably implying a U.S. goal.
Earlier this month, three North Korean hackers related to the navy intelligence division of North Korea have been indicted by the U.S. Justice Department for allegedly participating in a legal conspiracy that tried to extort $1.3 billion in cryptocurrency and money from banks and different organizations all over the world.
“Lately, the Lazarus group has targeted on attacking monetary establishments all over the world,” the researchers concluded. “Nonetheless, starting in early 2020, they targeted on aggressively attacking the protection trade.”
“Whereas Lazarus has additionally beforehand utilized the ThreatNeedle malware used on this assault when concentrating on cryptocurrency companies, it’s at present being actively utilized in cyberespionage assaults.”