Researchers at Kaspersky’s Industrial Systems Emergency Response Team say Lazarus has been targeting defense industry targets in more than a dozen countries with a backdoor called ThreatNeedle.
The campaign started in 2020 and begins with a spear-phishing attack as a result of which Lazarus gains full control over the victim’s device.
ThreatNeedle, also known as APT38 and Hidden Cobra, is part of Lazarus’ Manuscrypt family of malware. It can steal data from segmented portions of a network not connected to the Internet, Kaspersky says.
To initiate an attack, the attackers sent a victim an email containing a malicious Microsoft Word document or a link to a malicious remote server. Once the victim clicks the document or link, the ThreatNeedle backdoor malware is deployed and the attacker gains control of the target system.
In one of the analyzed attacks, the attackers found the router’s credentials stored inside the system, then gained access to an internal router machine and configured it as a proxy server. This allowed them to pump out stolen data from the intranet network to their remote server, Seongsu Park and Vyacheslav Kopeytsev, Kaspersky’s senior threat researchers explained.
“The attackers scanned the router’s ports and detected a Webmin interface. Next, the attackers logged in to the web interface using a privileged root account,” the researchers said.
By using the company’s server as a proxy the hackers downloaded malware into the segmented portion of the network and stole sensitive data.
ThreatNeedle has been used in a series of attacks since February 2018. The North Korean hacking group first used it in an attack on a cryptocurrency exchange in Hong Kong and a mobile game developer.
Once executed, the malware can conduct system profiling, manipulate files and directories, control backdoor processes, update the backdoor configuration and execute received commands, and siphon data to the attackers.
This week, three North Korean hackers from Lazarus were indicted by the U.S. Justice Department for attempting to steal $1.3 billion in cryptocurrency.