ThreatNeedle Malware Description
The ThreatNeedle Malware is a backdoor threat that infosec researchers have observed to be part of the threatening arsenal of the North Korean ATP (Advanced Persistent Threat) group called Lazarus (also known as APT38 and Hidden Cobra). The first time this particular piece of malware was deployed in an active attack was in 2018 when Lazarus targeted a Hong Kong cryptocurrency exchange and a mobile games developer.
In their latest operation, the hackers have once again returned to using the ThreatNeedle Malware. This time, the attack campaign is aimed at defense industry targets located in over a dozen countries spread across the globe. To infiltrate the selected targets, Lazarus uses a finely-crafted spear-phishing scheme. The hackers gather social media information about a selected employee and then send a customized email message designed to appear as if it has been sent by the employee's organization. The email carries either a malware-laced Word document or a link to a remote server under the control of the hackers. Opening the document or clicking on the link initiates the first part of a multi-stage attack chain.
During this step of the attack, Lazarus mainly conducts initial recon, and then it is determined if the attack would be escalated by dropping additional malware onto the compromised system and starting to move laterally through the internal network. ThreatNeedle allows the hackers to gain full control over the system, execute arbitrary commands, manipulate the file and directory systems, collect and exfiltrate data, control the backdoor processes, and force the infected device to enter hibernation or go into sleep mode.
The most threatening aspect of this latest operation carried out by Lazarus is the ability of the hackers to overcome network segmentation. This means that even if the targeted organization has split its internal network into a part connected to the public Internet and a section that is isolated. The breach is conducted by taking control over an internal router device and configuring it to act as a proxy server. The attackers can then exfiltrate data collected from the Intranet network to their remote server.