The North Korean “Lazarus” hacking group are back in the headlines after a blunder in a hacking campaign later 2022 pointed a finger straight at Pyongyang.
The campaign, called No Pineapple allowed the threat actors to steal 100GB of data from its victims between August and November with no destruction of files.
Targets included organisations involved in medical research, healthcare, chemical engineering, energy, defense, and academia.
Finnish cyber security company WithSecure (Formerly F-Secure) uncovered the attack whilst investigating a potential ransomware attack on one of it’s customer networks.
Attribution
WithSecure’s investigation of network logs from the victim revealed that one of the web shells planted by the intruders was communicating with a North Korean IP address – 175[.]45[.]176[.]27
The isolated incident occurred at the beginning of one day, indicating that the threat actor likely exposed themselves by an error at the start of their workday.
Additionally, WithSecure observed that various commands executed on the breached network devices were very similar to those hardcoded inside other Lazarus malware but often contained mistakes and didn’t execute, indicating that the threat actors were typing them manually.
WithSecure’s report is another indication of Lazarus’ activity, with the threat group continuing its efforts to gather intelligence and exfiltrate large amounts of data from high-profile victims.
<No Pineapple!>
The name of the campaign has been called <No Pineapple!> after an error code seen in transmission when the remote access malware was uploading stolen data to the attackers remote servers.
Data Exfil
The hackers compromised the victim’s network on August 22nd, 2022, by leveraging the CVE-2022-27925 (remote code execution) and CVE-2022-37042 (authentication bypass) Zimbra vulnerabilities to drop a webshell on the target’s mail server.
CVE-2022-27925 was patched in May 2022, but the authentication bypass took Zimbra until August 12th to release a security update. By that time, it was already under active exploitation by threat actors.
After breaching the network, the hackers deployed Plink (PuTTY Link) and 3Proxy to create reverse tunnels back to the threat actors’ infrastructure, allowing the threat actors to bypass the victims’ firewall.
WithSecure’s report says that less than one week after access, the intruders began utilising modified scripts to extract approximately 5GB of email messages from the mail server and saved them to a locally stored CSV file, which was later uploaded to the attacker’s server.
Over the next two months, the threat actors spread laterally through the network, acquiring administrator credentials and stealing data from devices.
While spreading through the network, Lazarus deployed multiple custom tools, such as Dtrack and what is believed to be a new version of the GREASE malware, used to locate Windows administrator accounts.
Dtrack is an information-stealing backdoor known to be used by Lazarus, while the GREASE malware is associated with Kimusky, another North Korean state-sponsored hacking group.
The attack culminated on November 5th, 2022, with the actors lurking in the network for over two months and ultimately stealing 100GB of data from the compromised organization.
WithSecure was able to analyze the work patterns of the threat actors, stating that they worked Monday through Saturday from 9 AM to 10 PM.
Time zone attribution analysis concluded that the time zone aligns with UTC +9. Reviewing activity by time of day finds that most threat actor activity occurred between 00:00 to 15:00 UTC (09:00 and 21:00 UTC +9)
Analysing activity by day of the week suggests that the threat actor was active Monday to Saturday, a common work pattern for DPRK.
