A new campaign from the infamous North Korean hacking group Lazarus has been found to be actively targeting public and private sector research organizations, the medical research and energy sector and their supply chain.

Detailed today by security researchers at cybersecurity solution provider WithSecure Oyj, the campaign was first detected in the fourth quarter of 2022. The motivation behind the campaign has been assessed to most likely be for intelligence benefits.

Dubbed “No Pineapple” for an error message in a backdoor that appends <No Pineapple!> if data exceeds segmented byte size, the attack vector starts with Lazarus exploiting known vulnerabilities on Zimbra servers. Having gained access to a targeted server, the hacking group then deploys web shell scripts and Cobalt Strike beacons as persistence mechanisms.

Lazarus was observed to compromise legitimate accounts and create illegitimate accounts. Auto-run services and scheduled tasks are also deployed to further establish persistence on the compromised server. Some of the scripts deployed establish proxying, tunneling and relaying connections.

Lazarus attacks are not new, but the researchers point out several noteworthy developments in the new campaign compared with previous Lazarus activity.

Notable features in the new campaign include the use of new infrastructure, including the sole reliance on IP addresses without domain names, a departure from previous attacks. A modified version of the Dtrack information stealing malware was detected, a form of malware used by Lazarus Group and Kimsuky, another group associated with North Korea in previous attacks.

Also spotted was a new version of GREASE, which is malware that allows attackers to create new administrator accounts with remote desktop protocol privileges that bypass firewalls.

In their analysis, the researchers also noticed that the attackers briefly used one of fewer than a thousand IP addresses belonging to North Korea. The IP address was observed connecting to an attacker-controlled webshell for a short time, leading researchers to suspect it was a manual error made by a group member.

“In spite of the opsec fails, the actor demonstrated good tradecraft and still managed to perform considered actions on carefully selected endpoints,” WithSecure Head of Threat Intelligence Tim West explained. “Even with accurate endpoint detection technologies, organizations need to continually consider how they respond to alerts and also integrate focused threat intelligence with regular hunts to provide better defense in depth, particularly against capable and adept adversaries.”

Image: Slate/Wikimedia Commons