Security experts found the North Korean-backed advanced persistent threat (APT) group Lazarus is targeting the defense industry across multiple countries since 2020. According to researchers at Kaspersky, the attackers are using a malware payload dubbed “ThreatNeedle” to penetrate corporate network systems. The malware can access and steal critical data from segmented portions of a network that is not connected to the internet.
“We have seen Lazarus attack various industries using this malware cluster before. In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscript (a.k.a. NukeSped). While investigating this activity,” Kaspersky said.
How ThreatNeedle Affects
Kaspersky claimed that the ongoing ThreatNeedle malware campaign leverages a multistep approach that begins with a spear-phishing attack to eventually gain control over the victim’s device.
Before launching an attack, attackers research the targeted organization to identify and create similar email addresses belonging to various departments of the company. The phishing emails, with a malicious link or infected Microsoft Word Document attachment, are sent to several employees in various departments. Upon opening the malicious document, the malware is dropped and proceeds to a multistage deployment procedure to compromise the victim’s device.
Once the final payload of ThreatNeedle malware is deployed on the victim’s system, it allows a remote attacker to execute multiple functions including:
- Manipulate files/directories
- System profiling
- Control backdoor processes
- Enter sleeping or hibernation mode
- Update backdoor configuration
- Execute received commands
“Our investigation showed that the initial spear-phishing attempt was unsuccessful due to macros being disabled in the Microsoft Office installation of the targeted systems. To persuade the target to allow the malicious macro, the attacker sent another email showing how to enable macros in Microsoft Office. The document contains information on the population health assessment program and is not directly related to the subject of the phishing email (COVID-19), suggesting the attackers may not completely understand the meaning of the contents they used,” Kaspersky added.