OpenCarrot Backdoor

State-sponsored hackers believed to be connected to North Korea have compromised sensitive internal IT infrastructure, with notable instances including the compromise of an email server and the deployment of a Windows backdoor known as OpenCarrot. The cyber attackers specifically targeted NPO Mashinostroyeniya, a prominent Russian missile engineering company.

The breach involving the Linux email server has been attributed to the hacking group ScarCruft. However, the Windows backdoor, OpenCarrot, has been previously associated with the Lazarus Group, with the first attacks using it being detected by cybersecurity experts in mid-May 2022.

Situated in Reutov, NPO Mashinostroyeniya is a rocket design bureau that has faced sanctions from the U.S. Treasury Department since July 2014. The sanctions were imposed due to the bureau's connection to 'Russia's continued attempts to destabilize eastern Ukraine and its ongoing occupation of Crimea.'

The OpenCarrot Backdoor Possesses an Extensive Array of Threatening Functions

OpenCarrot is designed as a Windows dynamic-link library (DLL) and offers support for more than 25 distinct commands. These commands facilitate activities such as reconnaissance, manipulation of file systems and processes, and the management of various communication methods. The wide range of functions found in OpenCarrot are enough for the attackers to establish complete control over the compromise machines. At the same time, the threat actors are enabled to carry out multiple infections across the victim's local network.

While the specific approach taken to breach the email server and the attack sequence used to deploy OpenCarrot remain undisclosed, it is acknowledged that ScarCruft frequently utilizes social engineering tactics in phishing schemes to trick victims and deliver backdoors such as RokRat.

Furthermore, a thorough analysis of the attack infrastructure has unveiled the existence of two domains: centos-packages[.]com and redhat-packages[.]com. These domains bear a significant resemblance to the names utilized by the threat actors during the JumpCloud hack that occurred in June 2023.

OpenCarrot Shows a Rare Convergence of North-Korean APT (Advanced Persistent Threat) Groups

Both ScarCruft (also known as APT37) and the Lazarus Group share ties to North Korea. However, ScarCruft is believed to fall under the purview of the Ministry of State Security (MSS). In contrast, the Lazarus Group supposedly operates within Lab 110, a faction of the Reconnaissance General Bureau (RGB), which serves as the country's primary foreign intelligence service.

The OpenCarrot attack marks a noteworthy collaboration wherein two distinct North Korea-linked independent threat activity clusters have directed their efforts toward the same target. This convergence suggests a strategic espionage mission with significant implications, possibly intended to benefit North Korea's contentious missile program.

Indeed, the OpenCarrot operation serves as a compelling example of North Korea's proactive initiatives to advance its missile development objectives surreptitiously. This is evident through the decision to directly compromise what is considered to be a prominent Russian Defense-Industrial Base (DIB) organization.