During an attack on the defense industry, the North Korea-linked threat group known as Lazarus was able to exfiltrate data from a restricted network segment by taking control of a router and setting it up as a proxy server.
For initial access, the group used phishing emails featuring COVID-19 themes and containing publicly available personal information of the intended victims. Next, they focused on credential harvesting and lateral movement, including gaining access to and exfiltrating data from restricted network segments.
Active since at least 2009, Lazarus has orchestrated multiple high-profile attacks. In 2019, they focused on crypto-currency exchanges, but switched to targeting COVID-19 research in 2020, including vaccine maker Pfizer. The group has also targeted security researchers, Google warned recently.
In a report this week, Kaspersky said Lazarus had been targeting the defense industry since at least mid-2020 using a malware cluster it named ThreatNeedle, which is an advanced cluster of the Manuscrypt malware (also known as NukeSped).
Through the use of spear-phishing, the attackers attempted to lure victims into opening a malicious Microsoft Office document and enabling macros to run, with multiple emails being delivered during the last two weeks of May 2020.
In early June, one malicious attachment was opened, providing the hackers with remote control of the system. The ThreatNeedle backdoor was deployed onto the victim’s system, allowing the adversary to perform reconnaissance and deploy additional payloads.
A ThreatNeedle installer-type malware was used for lateral movement, responsible for implanting the next stage loader-type malware, which in turn executes the ThreatNeedle backdoor in memory. The backdoor can manipulate files and directories, gather system info, control and update the backdoor, enter sleep/hibernation mode, and execute commands received from the attackers.
Following the initial foothold, the threat actor proceeded with the execution of a credential harvesting tool named Responder, and lateral movement. They were even able to steal data from a network segment that was cut off from the internet, by compromising a router used to connect to it.
Despite the organization’s effort to keep specific data secure using network segmentation, Lazarus was able to harvest administrative credentials to the router (a virtual machine running CentOS) used to connect to both network segments.
Furthermore, the hackers configured the Apache web server and used the router as a proxy between the two network segments. Thus, not only were they able to deploy malware onto machines in the restricted network segment, but they also managed to exfiltrate data from these machines (transfer of data between the two networks was otherwise strictly forbidden).
Using a custom tunneling tool, the adversary then attempted to create SSH tunnels from compromised server hosts to a remote server located in South Korea. In late September, the attackers started cleaning up their tracks from the router, eliminating most of the evidence of intrusion.
“We have been tracking ThreatNeedle malware for more than two years and are highly confident that this malware cluster is attributed only to the Lazarus group,” Kaspersky’s security researchers say.
The investigation also revealed links between ThreatNeedle and DeathNote (Operation Dream Job) and Operation AppleJeus, two clusters of activity previously attributed to Lazarus. Furthermore, ThreatNeedle also appears connected to the Bookcode cluster.
“In recent years, the Lazarus group has focused on attacking financial institutions around the world. However, beginning in early 2020, they focused on aggressively attacking the defense industry. While Lazarus has also previously utilized the ThreatNeedle malware used in this attack when targeting cryptocurrency businesses, it is currently being actively used in cyberespionage attacks,” Kaspersky concludes.