APT group Lazarus has defense companies in its sights. Malware 'ThreatNeedle' also attacks restricted networks without internet access.
Kaspersky researchers have identified a new, previously unknown campaign by the advanced threat actor Lazarus. Since the beginning of 2020, this has been aimed against companies in the defense industry with the custom backdoor 'ThreatNeedle'. The backdoor moves laterally through infected networks and collects confidential information. Lazarus can steal data from both IT and restricted networks.
Lazarus group active since 2009
Lazarus is a very productive threat actor that has been active since at least 2009. The group is known for extensive cyber espionage and ransomware campaigns as well as attacks on the cryptocurrency market. Current attacks have also been identified in connection with Covid-19 and vaccine research. While Lazarus has focused on financial institutions in previous years, the defense industry seems to have been the focus of activities since the beginning of 2020.
Backdoor incident exposed ThreatNeedle
Kaspersky researchers first became aware of this new campaign when they were called in to assist with incident response. The analysis revealed that the organization had fallen victim to a custom backdoor, a type of malware that allows complete remote control of the device. This backdoor, known as ThreatNeedle, moves laterally through the infected networks and extracts sensitive information. To date, organizations in more than a dozen countries have been affected. Kaspersky discovered numerous hosts from Europe, North America, the Middle East and Asia that had connected to the attacker's infrastructure.
Infection scheme and procedure by ThreatNeedle
Initial infection occurs via spear phishing emails that contain either a malicious Word attachment or a link to one hosted on corporate servers. The emails often disguised themselves as supposedly urgent updates related to the coronavirus pandemic and allegedly came from a reputable medical center.
When the malicious document is opened, the malware runs and moves to the next stage of the deployment process. The ThreatNeedle malware used belongs to the 'Manuscrypt' malware family, which is attributed to the Lazarus group and was previously used in attacks against cryptocurrency companies. Once installed, ThreatNeedle has complete control over the victim's device - anything is possible, from editing files to executing received commands.
Data theft from office IT networks
Using ThreatNeedle, Lazarus can steal data from both office IT networks (a network with computers with internet access) and a restricted network of a plant or plant (a network with business-critical resources and computers with highly sensitive data and databases without internet access). According to the guidelines of the attacked companies, no information is allowed to be transferred between these two networks. However, administrators can connect to either network for system maintenance. Lazarus was able to gain control of administrator workstations and set up a malicious gateway to attack the restricted network and steal and extract confidential data from there.
More on this in the ICS channel at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/