Finnish cybersecurity firm WithSecure has uncovered a new cyber espionage campaign by the North Korean hacking group Lazarus. The name of the group is “No Pineapple.” The group stole 100GB of data from several organizations. It includes medical research and healthcare facilities, chemical engineering and energy companies, defense contractors, and a leading research university, between August and November 2022. WithSecure was initially called to investigate a potential ransomware incident. It was able to attribute the activity to Lazarus due to operational errors.

Target Network of North Korean Hacking Group

The Lazarus hackers first compromised their target’s network by leveraging two Zimbra vulnerabilities. These are CVE-2022-27925 (remote code execution) and CVE-2022-37042 (authentication bypass). The attackers then deployed tunneling tools to create reverse tunnels to bypass the firewall and steal 5GB of email messages. Over the next two months, the Lazarus group spread laterally through the network, acquiring administrator credentials and stealing data.

During the attack, the hackers utilized new versions of the Dtrack info-stealer malware. They also used the GREASE malware used for admin account creation and protection bypass. WithSecure noted that the Lazarus group now relies solely on IP addresses without domain names for their infrastructure. It provides more flexibility and reduces the need for renewal maintenance. The new Dtrack variant stores stolen data in a password-protected archive and rely on a separate backdoor for data exfiltration. The new GREASE malware uses RDPWrap to install an RDP service onto the host and create a privileged user account.

WithSecure’s Analysis

WithSecure’s analysis of network logs from the victim organization revealed that the attackers exposed themselves by making operational mistakes. The firm found a web shell communicating with a North Korean IP address. Various commands executed on breached network devices were similar to those hardcoded in Lazarus malware. It was often contained mistakes, indicating the attackers were typing them manually.
According to WithSecure’s analysis, the Lazarus group worked Monday to Saturday from 9 AM to 10 PM UTC +9, with most activity occurring between 00:00 to 15:00 UTC. The firm linked the operations to Lazarus based on TTP overlaps, employed malware strains, target profiles, infrastructure overlaps, and time-zone analysis. WithSecure concludes that the Lazarus group remains a persistent threat and continues to evolve its tactics, making it imperative for organizations to remain vigilant and secure their networks. The Impact of 5G Networks on C