A spear-phishing campaigned linked to a North Korean APT uses “Nuke Sped” malware in cyber-espionage attacks against defence companies.
The notorious N. Korean APT known as ‘Lazarus’ is behind a spear-phishing campaign aimed at stealing critical data from defence companies by using an advanced malware called Threat Needle, new research has now revealed.
COVID-19 Themes
This complex & ongoing cyber-espionage campaign used emails with COVID-19 themes linked with publicly available personal information of targets to lure them into taking the malware bait, stated Kaspersky, which 1st observed this activity in mid-2020.
Kaspersky researchers Vyacheslav Kopeytsev & Seongsu Park, in a blog post published Thurs. explained that they identified organisations in more than 12 countries that were affected in the attacks. They said culprits were successful at stealing data & transmitting it to remote servers under Lazarus’ control, they explained.
Manuscrypt
The researchers revealed that they have been tracking Threat Needle, an advanced malware cluster of Manuscrypt (a.k.a. Nuke Sped), for about 2 years & have linked it exclusively to the Lazarus APT.
“We named Lazarus the most active group of 2020,” with the “notorious APT targeting various industries” depending on their objective, said Kaspersky.
Although previously the group seemed to focus mainly on efforts to secure funding for the regime of Kim Jong-un, its focus has seemed to have now shifted to cyber-espionage, researchers observed.
Vaccine Info
This is not only confirmed by the campaign against defence companies but also other recent attacks, such as incidents revealed in Dec. aimed at stealing COVID-19 vaccine info & the mentioned attacks on security researchers.
Researchers observed an entire lifecycle of the latest campaign, which they said helped them glean insight into the scope of Lazarus’ work as well as connect the dots between different campaigns.
It begins with emails that gain victims’ interest with their mention of COVID-19 and are embellished with personal information to make them seem more legitimate, researchers said.
Spear-Phishing
Lazarus did its ‘due-diligence’ before choosing its targets, but also bumbled initial spear-phishing efforts, according to Kaspersky. Before launching the attack, the group studied publicly available information about the targeted organisation & identified email addresses belonging to various departments of the company.
They then crafted phishing emails claiming to have COVID-19 updates that either had a malicious Word document attached or a link to one hosted on a remote server to various email addresses in those departments, researchers said.
“The phishing emails were carefully crafted & written on behalf of a medical centre that is part of the organisation under attack,” Kopeytsev & Park wrote.
Public E-mail Service
To ensure the emails appeared authentic, attackers registered accounts with a public email service to make sure the sender’s email addresses looked similar to the medical centre’s real email address & used personal data of the deputy head doctor of the attacked organisation’s medical centre in the email signature.
There were some missteps along the way in the attack researchers observed, however. The payload of the attack was concealed in a macro a Microsoft Word document attached to the document.
However, the document contained information on the population health assessment program rather than info about COVID-19, which signals that the threat actors may not have actually fully understood the meaning of the email content they leveraged in the attack, researchers stated.
Macros was Disabled
Initial spear-phishing attempts also were unsuccessful because macros was disabled in the Microsoft Office installation of the targeted systems. In order to persuade the target to allow the malicious macro, the attacker then sent another email showing how to enable macros in Microsoft Office.
But even that email was not compatible with the version of Office the victim was using, so attackers had to send yet another to explain, researchers observed.
Malicious Documents
Attackers eventually were successful with their attack on June 3 when employees opened one of the malicious documents, allowing attackers to gain remote control of the infected system, researchers commented.
Once deployed, Threat Needle drops in a 3-stage deployment comprised of an installer, a loader & a backdoor capable of manipulating files & directories, system profiling, controlling backdoor processes, and executing received commands, among other capabilities.
https://www.cybernewsgroup.co.uk/virtual-conference-march-2021/