North Korean hackers target defense industry with custom malware

And this is why we sell breach detection and response tools…:

[…] After the initial compromise, they installed the group’s custom-made ThreatNeedle backdoor malware first used in 2018 in attacks targeting cryptocurrency businesses.

“Once installed, ThreatNeedle is able to obtain full control of the victim’s device, meaning it can do everything from manipulating files to executing received commands,” Kaspersky security researchers said earlier today.

Attack flow
Attack flow (Kaspersky)

ThreatNeedle helped the Lazarus hackers to move laterally throughout the defense orgs’ networks and harvest sensitive info that got exfiltrated to attacker-controlled servers using a custom tunneling tool via SSH tunnels to remote compromised South Korean servers.

The backdoor also allowed them to bypass network segmentation and access restricted networks with mission-critical devices that didn’t have Internet access.


Original Article