Highlights –

  • The security experts at WithSecure Oyj, a provider of cybersecurity solutions, recently revealed that the campaign was first discovered in the fourth quarter of 2022.
  • Also discovered was a new variant of the virus GREASE, which allows attackers to circumvent firewalls by creating new administrator accounts with remote desktop protocol credentials.

It has been discovered that the notorious North Korean hacker group Lazarus has launched a new assault against public and private research institutions, the medical research and energy sectors, as well as their supply chains.

The security experts at WithSecure Oyj, a provider of cybersecurity solutions, recently revealed that the campaign was first discovered in the fourth quarter of 2022. It has been determined that the purpose behind the effort was most likely intelligence gains.

The attack vector, dubbed “No Pineapple” for a backdoor error message that appends and lt;No Pineapple! and gt; if data exceeds segmented byte size, begins with Lazarus exploiting known vulnerabilities on Zimbra servers. The hacker gang installs web shell scripts and Cobalt Strike beacons as persistence techniques after gaining access to a target server.

It was found that Lazarus compromised real accounts and created fraudulent ones. Automated services and scheduled processes are also deployed on the hacked server to create persistence further. Some of the deployed scripts create proxy, tunnel, and relay connections.

The Lazarus attacks are not new, but the researchers identify several important differences between the current campaign and earlier Lazarus activities.

In a break from earlier attacks, the current features make use of new infrastructure, including an exclusive dependence on IP addresses without domain names. Lazarus Group and Kimsuky, two groups formerly affiliated with North Korea, employed a modified version of the Dtrack information-stealing virus in earlier attacks.

Also discovered was a new variant of the virus GREASE, which allows attackers to circumvent firewalls by creating new administrator accounts with remote desktop protocol credentials.

In their analysis, the researchers also discovered that the attackers momentarily employed one of less than one thousand North Korean IP addresses. The IP address was spotted connecting to an attacker-controlled webshell for a brief period of time, prompting researchers to think a group member made a mistake.