A new cyber espionage campaign dubbed “No Pineapple!” was attributed to the North Korean hacking group Lazarus, allowing threat actors to stealthily steal 100 GB of data from the victim without causing destruction.

The campaign ran between August and November 2022, targeting organizations in medical research, healthcare, chemical engineering, energy, defense and a leading research university.

The operation was discovered by a Finnish cybersecurity company WithSecure, whose analysts were called in to investigate a possible ransomware incident on one of its clients. However, thanks to an operational error by Lazarus, they were able to link the campaign to the North Korean APT.

WithSecure was able to attribute the activity based on several pieces of evidence, but also noticed new developments for Lazarus, such as:

• the use of new infrastructures using IP addresses without a domain name,
• a new version of the information-stealing malware Dtrack,
• a new version of the GREASE malware used in administrator account creation and protection bypass.

The campaign is called ‘< No Pineapple! >‘ error seen delivered by remote access malware while uploading stolen data to threat actor’s servers.

Discreetly steal data

Lazarus hackers compromised the victim’s network on August 22, 2022 by exploiting Zimbra’s CVE-2022-27925 (remote code execution) and CVE-2022-37042 (authentication bypass) vulnerabilities to drop a webshell on the target mail server.

This RCE flaw was patched in May 2022, but the authentication bypass took Zimbra until August 12 to release a security update. At that time it was already in active operation by threat actors.

After successfully breaching the network, the hackers deployed “Plink” and “3Proxy” tunneling tools to create reverse tunnels to the threat actors’ infrastructure, allowing the threat actors to bypass the firewall.

Less than a week later, WithSecure says the intruders began using modified scripts to extract around 5 GB of email messages from the server and save them to a locally stored CSV file, which was then uploaded to the server. attacker.

Over the next two months, threat actors spread laterally through the network, acquiring administrator credentials and stealing data from devices.

While spreading across the network, Lazarus deployed several custom tools, such as Dtrack and what is believed to be a new version of the GREASE malware, used to locate Windows administrator accounts.

Dtrack is an information-stealing backdoor known to be used by Lazarus, while GREASE malware is associated with Kimusky, another North Korean state-sponsored hacking group.

The attack culminated on November 5, 2022, when the actors hid in the network for over two months and eventually stole 100 GB of data from the compromised organization.

WithSecure was able to analyze the work patterns of the threat actors, indicating that they worked Monday to Saturday from 9am to 10pm.

“Time zone attribution analysis concluded that the time zone aligns with UTC +9. Examination of activity by time of day reveals that most threat actor activity occurred between 00:00 and 15:00 UTC (09:00 and 21:00 UTC +9),” WithSecure shared.

“Analysis of activity by day of the week suggests the threat actor was active Monday through Saturday, a common work pattern for the DPRK.”

New malware and tactics

The first notable change seen in this Lazarus campaign is that they now rely solely on IP addresses without domain names for their infrastructure.

This change has benefits for threat actors, including a reduced need for renewal maintenance and greater IP flexibility.

New D-track The variant spotted in the recent Lazarus attacks is removed by an executable named “onedriver.exe” and no longer uses its own C2 server for data exfiltration.

Instead, it relies on a separate backdoor to transfer the data it has collected locally to the compromised machine, storing it in a password-protected archive.

“The staging and exfiltration host was likely carefully chosen by the threat actor to be a host on which endpoint security monitoring tools were not deployed,” explains WithSecure in the report.

The new GREASE malware used by Lazarus is executed on the host as a DLL (“Ord.dll”) with higher privileges obtained by exploiting the ‘PrintNightmare‘ fault.

Its main difference from previous versions is that it now uses RDPWrap to install an RDP service on the host to create a privileged user account using net user commands.

Exposed by errors

Even for Very sophisticated threatening actors like Lazarus making mistakes is not uncommon and, in this case, led to the campaigns being attributed to the hacking group.

WithSecure’s investigation of network logs recovered from the victim revealed that one of the web shells installed by the intruders was communicating with a North Korean IP address (“175.45.176[.]27”).

This isolated incident occurred earlier today, preceded by connections from a proxy address, indicating that the threat actor likely exposed himself through an error early in his work day.

Additionally, WithSecure observed that various commands executed on hacked network devices were very similar to those hard-coded in the Lazarus malware, but often contained errors and did not execute, indicating that the threat actors were typing them. manually using the “atexec” module of Impacket.

Errors aside, WithSecure was able to tie these operations to Lazarus based on the TTP overlaps detailed in previous Symantec and Cisco Talos reports, malware strains used, target profiles, infrastructure overlaps, and time zone analysis.

WithSecure’s report is another indication of Lazarus activity, with the threat group continuing its efforts to gather intelligence and exfiltrate vast amounts of data from high-profile victims.