Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Lazarus targets defense industry with ThreatNeedle
#1
Bug 
Quote:
[Image: abstract_cyberspace_global_data-1200x600.jpg]

Lazarus targets defense industry with ThreatNeedle (PDF)

We named Lazarus the most active group of 2020. We’ve observed numerous activities by this notorious APT group targeting various industries. The group has changed target depending on the primary objective. Google TAG has recently published a post about a campaign by Lazarus targeting security researchers.

After taking a closer look, we identified the malware used in those attacks as belonging to a family that we call ThreatNeedle. We have seen Lazarus attack various industries using this malware cluster before. In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

The group made use of COVID-19 themes in its spear-phishing emails, embellishing them with personal information gathered using publicly available sources.

After gaining an initial foothold, the attackers gathered credentials and moved laterally, seeking crucial assets in the victim environment. We observed how they overcame network segmentation by gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the intranet network to their remote server. So far organizations in more than a dozen countries have been affected.

During this investigation we had a chance to look into the command-and-control infrastructure. The attackers configured multiple C2 servers for various stages, reusing several scripts we’ve seen in previous attacks by the group. Moreover, based on the insights so far, it was possible to figure out the relationship with other Lazarus group campaigns.

The full article is available on Kaspersky Threat Intelligence.

For more information please contact: ics-cert@kaspersky.com

Initial infection

In this attack, spear phishing was used as the initial infection vector. Before launching the attack, the group studied publicly available information about the targeted organization and identified email addresses belonging to various departments of the company.

Email addresses in those departments received phishing emails that either had a malicious Word document attached or a link to one hosted on a remote server. The phishing emails claimed to have urgent updates on today’s hottest topic – COVID-19 infections. The phishing emails were carefully crafted and written on behalf of a medical center that is part of the organization under attack.

The attackers registered accounts with a public email service, making sure the sender’s email addresses looked similar to the medical center’s real email address. The signature shown in the phishing emails included the actual personal data of the deputy head doctor of the attacked organization’s medical center.

The attackers were able to find this information on the medical center’s public website.

A macro in the Microsoft Word document contained the malicious code designed to download and execute additional malicious software on the infected system.

The document contains information on the population health assessment program and is not directly related to the subject of the phishing email (COVID-19), suggesting the attackers may not completely understand the meaning of the contents they used.

The content of the lure document was copied from an online post by a health clinic.

Our investigation showed that the initial spear-phishing attempt was unsuccessful due to macros being disabled in the Microsoft Office installation of the targeted systems. In order to persuade the target to allow the malicious macro, the attacker sent another email showing how to enable macros in Microsoft Office.

After sending the above email with explanations, the attackers realized that the target was using a different version of Microsoft Office and therefore required a different procedure for enabling macros. The attackers subsequently sent another email showing the correct procedure in a screenshot with a Russian language pack.

The content in the spear-phishing emails sent by the attackers from May 21 to May 26, 2020, did not contain any grammatical mistakes. However, in subsequent emails the attackers made numerous errors, suggesting they may not be native Russian speakers and were using translation tools.On June 3, 2020, one of the malicious attachments was opened by employees and at 9:30 am local time the attackers gained remote control of the infected system.

This group also utilized different types of spear-phishing attack. One of the compromised hosts received several spear-phishing documents on May 19, 2020.

The malicious file that was delivered, named Boeing_AERO_GS.docx, fetches a template from a remote server.

However, no payload created by this malicious document could be discovered. We speculate that the infection from this malicious document failed for a reason unknown to us. A few days later, the same host opened a different malicious document. The threat actor wiped these files from disk after the initial infection meaning they could not be obtained.

Nonetheless, a related malicious document with this malware was retrieved based on our telemetry. It creates a payload and shortcut file and then continues executing the payload by using the following command line parameters.
  • Payload path: %APPDATA%\Microsoft\Windows\lconcaches.db
  • Shortcut path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneDrives.lnk
  • Command Line; please note that the string at the end is hard-coded, but different for each sample:
  • exe [dllpath],Dispatch n2UmQ9McxUds2b29
The content of the decoy document depicts the job description of a generator/power industry engineer.
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>