The malware can set up a gateway to restricted segments of the network to exfiltrate the family jewels.
A new threat from the infamous Lazarus advanced persistent threat group is targeting the defense industry.
Using a custom backdoor (a type of malware that allows complete remote control over the device) dubbed ThreatNeedle, the group moves laterally through infected networks gathering sensitive information. So far, organizations in more than a dozen countries have been affected, said the cybersecurity firm.
Needle in a manuscrypt
Infection is through spear phishing, especially those based on pandemic- or medical- related themes. Once a user opens a malicious document, the malware is dropped and proceeds to the next stage of the deployment process. The ThreatNeedle malware used in this campaign belongs to a malware family known as Manuscrypt which uses custom backdoor, which belongs to the Lazarus group and has previously been seen attacking cryptocurrency businesses.
Once installed, ThreatNeedle is able to obtain full control of the victim’s device, meaning it can do everything from manipulating files to executing received commands. One of the most interesting techniques in this campaign is the group’s ability to steal data from both office IT networks and a plant’s restricted network (one containing mission-critical assets and computers with highly sensitive data and no internet access).
Typically, no information is supposed to be transferred between these two types of networks. However, Lazarus was able to obtain control of administrator workstations and then set up a malicious gateway to attack the restricted network and to steal and extract confidential data from there.
According to Vyacheslav Kopeytsev, a security expert with Kaspersky ICS CERT: “Lazarus is not just highly prolific but highly sophisticated. Not only were they able to overcome network segmentation, but they did extensive research to create highly personalized and effective spear phishing emails and built custom tools to extract the stolen information to a remote server. With industries still dealing with remote work and, thus, still more vulnerable, it’s important organizations take extra security precautions to safeguard against these types of advanced attacks.”