The prolific North Korean APT known as Lazarus is behind a spear-phishing campaign aimed at stealing critical data from defense companies by leveraging an advanced malware called ThreatNeedle, new research has revealed.
The elaborate and ongoing cyberespionage campaign used emails with COVID-19 themes paired with publicly available personal information of targets to lure them into taking the malware bait, according to Kaspersky, which first observed the activity in mid-2020.
Kaspersky researchers Vyacheslav Kopeytsev and Seongsu Park, in a blog post published Thursday said they identified organizations in more than a dozen countries that were affected in the attacks. They said adversaries were successful at stealing data and transmitting it to remote servers under Lazazrus’ control, they said.
The researchers said they have been tracking ThreatNeedle, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped), for about two years and have linked it exclusively to the Lazarus APT.
“We named Lazarus the most active group of 2020,” with the “notorious APT targeting various industries” depending on their objective, according to Kaspersky.
While previously the group seemed to focus mainly on efforts to secure funding for the regime of Kim Jong-un, its focus has seem to have now shifted to cyberespionage, researchers observed. This is not only evidenced by the campaign against defense companies but also other recent attacks, such as incidents revealed in December aimed at stealing COVID-19 vaccine info and the aforementioned attackson security researchers.
Researchers observed an entire lifecycle of the latest campaign, which they said helped them glean insight into the scope of Lazarus’ work as well as connect the dots between different campaigns. It begins with emails that pique victims’ interest with their mention of COVID-19 and are embellished with personal information to make them seem more legitimate, researchers said.
Lazarus did its due diligence before choosing its targets, but also bumbled initial spear-phishing efforts, according to Kaspersky. Before launching the attack, the group studied publicly available information about the targeted organization and identified email addresses belonging to various departments of the company.
They then crafted phishing emails claiming to have COVID-19 updates that either had a malicious Word document attached or a link to one hosted on a remote server to various email addresses in those departments, researchers said.
“The phishing emails were carefully crafted and written on behalf of a medical center that is part of the organization under attack,” Kopeytsev and Park wrote.
To ensure the emails appeared authentic, attackers registered accounts with a public email service to make sure the sender’s email addresses looked similar to the medical center’s real email address, and used personal data of the deputy head doctor of the attacked organization’s medical center in the email signature.
There were some missteps along the way in the attack researchers observed, however. The payload of the attack was concealed in a macro a Microsoft Word document attached to the document. However, the document contained information on the population health assessment program rather than info about COVID-19, which signals that the threat actors may not have actually fully understood the meaning of the email content they leveraged in the attack, researchers said.
Initial spear-phishing attempts also were unsuccessful because macros was disabled in the Microsoft Office installation of the targeted systems. In order to persuade the target to allow the malicious macro, the attacker then sent another email showing how to enable macros in Microsoft Office. But even that email was not compatible with the version of Office the victim was using, so attackers had to send yet another to explain, researchers observed.
Attackers eventually were successful with their attack on June 3 when employees opened one of the malicious documents, allowing attackers to gain remote control of the infected system, researchers said.
Once deployed, ThreatNeedle drops in a three-stage deployment comprised of an installer, a loader and a backdoor capable of manipulating files and directories, system profiling, controlling backdoor processes, and executing received commands, among other capabilities.
After attackers get into a system, they proceed to gather credentials using a tool named Responder and then move laterally, seeking “crucial assets in the victim environment,” according to the researchers.
They also figured out a way to overcome network segmentation by gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the intranet network using a custom tool and then sending it to their remote server.
During their investigation, researchers found critical ties to other previously discovered attacks—one called DreamJob and another dubbed Operation AppleJeus—both of which were suspected to be the work of the North Korean APT, they said.
“This investigation allowed us to create strong ties between multiple campaigns that Lazarus has conducted, reinforcing our attribution” as well as identifying the various strategies and shared infrastructure of the group’s various attacks, according to Kaspersky.