Security researchers at Kaspersky ICS CERT have identified a spear phishing campaign targeting defense companies that delivers an advanced malware dubbed ThreatNeedle. The campaign has been linked to the North Korean Advanced Persistent Threat (APT) group Lazarus – The most active APT group in 2020.
Lazarus has conducted many spear phishing campaigns in recent months using the ThreatNeedle cluster of malware, which is a more advanced variant of Manuscrypt (NukeSped).
In the latest campaign, the group adopted a COVID-19 lure for its phishing emails. The targeted companies are researched, and personal information is included in the emails that has been gathered from publicly available sources. The group also registered accounts with a public email service with the accounts closely resembling a medical center associated with the organization under attack.
The emails use the genuine contact information of the deputy head director of the organization’s medical center, which is available on the medical center’s website. The emails claim to include urgent updates on COVID-19 infections.
Malicious Word documents are attached to or linked in the emails which need to be opened to get the information outlined in the emails. The documents have malicious macros that, if enabled, will download their malware payload. The documents include information on the population health assessment rather than information about COVID-19 infections. The content had been copied from an online post from a health clinic.
Once the malware payload is delivered, the group gathers credentials and moves laterally to identify and exfiltrate critical assets. In the attack, the Lazarus group was able to get around network segmentation and managed to exfiltrate data from an isolated network that was not exposed to the Internet by compromising a router virtual machine.
The spear phishing attack was not initially successful as macros had been disabled by the organization. The group then sent further spear phishing emails explaining how to enable macros to view the contents of the document, but that attempt also failed as the targeted organization was using a different version of Microsoft Office. A third attempt was then made with revised instructions for enabling macros, which was ultimately successful. Several employees opened the document and enabled macros triggering the malware download. The malware was dropped in a three-stage deployment involving an installer, loader, and backdoor.
Having observed the entire lifecycle of the attack, Kaspersky was able to gain insights into the Lazarus spear phishing and attack tactics and linked several other spear phishing attacks to the Lazarus group. In 2020, Lazarus was primarily attacking financial institutions and cryptocurrency businesses; however, the latest campaign confirmed that the group is also actively engaging in cyberespionage campaigns.