Lazarus Group used ThreatNeedle malware against defence companies

Kaspersky Lab experts have discovered a new campaign by the Lazarus hack group, in which hackers used the ThreatNeedle malware. The campaign targets the companies in the defence industry.

The North Korean hack group Lazarus has been active since at least 2009 and is known for large-scale cyber espionage campaigns, attacks on the cryptocurrency market, as well as operations using ransomware. In recent years, the group has focused its attacks on financial institutions around the world, but since the beginning of 2020, defense industry enterprises also became target of the cybercriminals.

Kaspersky Lab was able to investigate such an attack in more detail when one of the affected organizations asked for help. The company’s experts discovered the ThreatNeedle backdoor, previously seen in attacks on cryptocurrency companies, in the network of victims.

“The initial infection took place through phishing: attackers sent messages to targets with malicious Microsoft Word documents or links to such documents hosted on a remote server. In the letters, the hackers relied on an urgent topic – the prevention and diagnosis of COVID-19. These messages were allegedly written on behalf of an employee of the medical center, which is part of the attacked organization”, – say the researchers.

If the user opened a malicious document and allowed macros to run, the malware proceeded to a multi-stage deployment procedure, and after installing ThreatNeedle, the attackers gained almost complete control over the device.

One of the more interesting details of this campaign has to do with how the attackers overcame the network segmentation. The network of the attacked enterprise was divided into two segments: corporate (a network whose computers have access to the Internet) and isolated (a network whose computers contain confidential data and do not have access to the Internet).

“At the same time, according to security policies, any transfer of information between these segments is prohibited, that is, they must be completely separated. But in reality, administrators were able to connect to both segments to configure and provide technical support to users in both zones”, — Experts say.

Lazarus was able to get credentials from the router used by administrators to connect to isolated and corporate networks. By changing its settings and installing additional software, they were able to turn it into hosting for malware on the enterprise network. After that, the router was used to penetrate the isolated segment, output data from it and send it to the C&C server.

The researchers note that the main purpose of this attack was clearly the theft of intellectual property.

“Lazarus was arguably the most active cyber group in 2020 and it seems to remain so. In January 2021, the Google Threat Analysis Team reported that Lazarus is using the same backdoor to attack cybersecurity researchers. We believe we will see ThreatNeedle more than once in the future and will continue to monitor this backdoor”, — commented Seongsu Park, senior expert at the GReAT team.

Let me remind you that we reported that US authorities imposed sanctions on North Korean hack groups Lazarus, Bluenoroff and Andarial, as well as that the US authorities indicted two more members of the Lazarus group.