Kaspersky researchers have identified a new, previously unknown campaign from Lazarus, a very productive advanced threat actor that has been active since at least 2009 and is linked to several multi-faceted campaigns. As of early 2020, it has been targeting the defense industry with a custom backdoor called ThreatNeedle. The back door moves sideways through infected networks, collecting sensitive information.
Lazarus is one of the most productive threat actors today. It has been active since around 2009 and has been involved in extensive cyber espionage campaigns, ransomware campaigns, and even attacks on the cryptocurrency market. Although it has focused on financial institutions in recent years, it appears to have added the defense industries sector to its portfolio in early 2020.
Kaspersky researchers first found out about this campaign when the company was asked to respond to an incident and discovered that the company was the victim of a custom backdoor (a type of malware that allows complete remote control of the device). Known as ThreatNeedle, this backdoor moves sideways through infected networks and extracts sensitive information. To date, organizations in more than a dozen countries have been affected.
The initial infection occurs through spear phishing; Destinations receive emails with a malicious Word attachment or a link to one hosted on corporate servers. The emails were supposed to contain urgent updates related to the pandemic and allegedly came from a well-known medical center.
After opening the malicious document, the malware will download and proceed to the next stage of the deployment process. The ThreatNeedle malware used in this campaign belongs to a family called Manuscrypt, which is part of the Lazarus group and has previously been used in other cyberattacks against cryptocurrency companies. Once installed, ThreatNeedle can take full control of the victim’s device. This means it can do everything from manipulating files to executing commands it receives.
One of the most interesting techniques in this campaign is the group’s ability to steal data from both office IT networks (a network of computers with internet access) and a restricted facility network (a network of mission resources). Criticism and computers with very sensitive data and no internet access). Company policy assumes that information cannot be transferred between these two networks. However, administrators can connect to either network to service these systems. Lazarus was able to take control of the administrators’ workstations and then configure a malicious gateway to attack the restricted network and steal and extract sensitive data from there.
“Lazarus was perhaps the most active threat actor of 2020, and it doesn’t seem like that will change in the short term. Back in January of this year, the Google threat assessment team reported that Lazarus had been discovered, and we hope to see further action from ThreatNeedle in the future see, so we’ll watch, “said Seongsu Park, senior security researcher for the Global Research and Analysis Team (GReAT).
“Lazarus is not only very productive but also very sophisticated. Not only have they been able to break through network segmentation, but they have also done thorough research to create highly personalized and effective spear phishing emails and create custom tools to extract the information . Information stolen from a remote server. As companies continue to work remotely and are therefore more vulnerable, it is important that they take additional security precautions to protect themselves against such advanced attacks, “added Vyacheslav Kopeytsev, security expert at Kaspersky ICS CERT, added.
Copyright © Grupo Edefa SA Reproduction, in whole or in part, of this article is prohibited without permission and prior authorization from the publisher.