North Korean Actors Hauls in 100GB from Espionage Campaign
Category: Threat Actor Activity | Industries: Chemical, Defense, Energy, Healthcare, Research, Technology | Level: Tactical | Source: WithSecure
A cyber-espionage campaign linked to the North Korean state-sponsored, Lazarus group resulted in the covert exfiltration of approximately 100GBs of data. Researchers from WithSecure (formerly F-Secure) uncovered the campaign when initially engaged in the investigation of a potential ransomware incident, however, signs and missteps from the threat actors revealed tactics, techniques, and procedures (TTPs) associated with Lazarus revealing a larger campaign effort, naming it "No Pineapple;" due to the error message found in a remote access trojan used by the hackers. Links to Lazarus were found in the infrastructure domains, along with custom malware Dtrack and GREASE. Tracing the C2 connection targets in the campaign included verticals in medical research, chemical engineering, and a technology manufacturer serving industries in energy, defense, research, and healthcare.
The No Pineapple campaign ran from August to November 2022, with the first signs of the campaign being found on August 22nd, 2022, through an exploit of Zimbra software vulnerabilities CVE-2022-27925 and CVE-2022-37042. The exploitation of these vulnerabilities enabled the installation of a webshell on a Zimbra mail server. Four days after the initial webshell drop, the operators dropped tunneling tools Plink and 3Proxy to connect with their command and control server. To escalate privileges, the operator exploited polkit's pkexec utility in CVE-2021-4034. For two months the threat actors moved laterally through the environment, using their Grease malware a support account was created, and the attackers also gathered credentials and data for exfiltrated data. The intrusion concluded on November 11th, 2022 with 100GBs of data exfiltrated.
Anvilogic Use Cases:
- Web Application File Upload
- Tunneling Process Created
- Create/Add Local/Domain User