Lazarus targets defense industry with ThreatNeedle
Contents
Lazarus targets defense industry with ThreatNeedle (PDF)
We named Lazarus the most active group of 2020. We’ve observed numerous activities by this notorious APT group targeting various industries. The group has changed target depending on the primary objective. Google TAG has recently published a post about a campaign by Lazarus targeting security researchers. After taking a closer look, we identified the malware used in those attacks as belonging to a family that we call ThreatNeedle. We have seen Lazarus attack various industries using this malware cluster before. In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.
The group made use of COVID-19 themes in its spear-phishing emails, embellishing them …
We named Lazarus the most active group of 2020. We’ve observed numerous activities by this notorious APT group targeting various industries. The group has changed target depending on the primary objective. Google TAG has recently published a post about a campaign by Lazarus targeting security researchers. After taking a closer look, we identified the malware used in those attacks as belonging to a family that we call ThreatNeedle. We have seen Lazarus attack various industries using this malware cluster before. In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.
The group made use of COVID-19 themes in its spear-phishing emails, embellishing them …
IoC
09580ea6f1fe941f1984b4e1e442e0a5
0aceeb2d38fe8b5ef2899dd6b80bfc08
110e1c46fd9a39a1c86292487994e5bd
156.245.16.55
160d0e396bf8ec87930a5df46469a960
16824dfd4a380699f3841a6fa7e52c6d
254a7a0c1db2bea788ca826f4b5bf51a
6f0c7cbd57439e391c93a2101f958ccd
85621411e4c80897c588b5df53d26270
a611d023dfdd7ca1fab07f976d2b6629
aa74ed16b0057b31c835a5ef8a105942
ac86d95e959452d189e30fa6ded05069
bea90d0ef40a657cb291d25c4573768d
e7aa0237fc3db67a96ebd877806a2c88
fc9e7dc13ce7edc590ef7dfce12fe017
http://156.245.16.55/admin/admin.asp
http://forum.iron-maiden.ru/core/cache/index.php
http://fredrikarnell.com/marocko2014/index.php
http://roit.co.kr/xyz/mainpage/view.asp
http://www.au-pair.org/admin/Newspaper.asp
http://www.au-pair.org/admin/login.asp
http://www.colasprint.com/_vti_log/upload.asp
http://www.djasw.or.kr/sub/popup/images/upfiles.asp
http://www.juvillage.co.kr/img/upload.asp
http://www.kbcwainwrightchallenge.org.uk/connections/dbconn.asp
http://www.kwwa.org/DR6001/FN6006LS.asp
http://www.kwwa.org/popup/160307/popup_160308.asp
http://www.sanatoliacare.com/include/index.asp
https://americanhotboats.com/forums/core/cache/index.php
https://cloudarray.com/images/logo/videos/cache.jsp
https://docentfx.com/wp-admin/includes/upload.php
https://forum.snowreport.gr:443/cache/template/upload.php
https://kannadagrahakarakoota.org/forums/admincp/upload.php
https://martiancartel.com/forum/customavatars/avatars.php
https://mdim.in.ua:443/core/cache/index.php
https://newidealupvc.com:443/img/prettyPhoto/jquery.max.php
https://polyboatowners.com/2010/images/BOTM/upload.php
https://prototypetrains.com:443/forums/core/cache/index.php
https://ryanmcbain.com/forum/core/cache/upload.php
https://shinwonbook.co.kr/basket/pay/open.asp
https://shinwonbook.co.kr/board/editor/upload.asp
https://theforceawakenstoys.com/vBulletin/core/cache/upload.php
https://www.astedams.it/photos/image/image.asp
https://www.automercado.co.cr/empleo/css/main.jsp
https://www.curiofirenze.com/include/inc-site.asp
https://www.dellarocca.net/it/content/img/img.asp
https://www.digitaldowns.us/artman/exec/upload.php
https://www.dronerc.it/forum/uploads/index.php
https://www.dronerc.it/shop_testbr/Adapter/Adapter_Config.php
https://www.edujikim.com/intro/blue/view.asp
https://www.edujikim.com/pay/sample/INIstart.asp
https://www.edujikim.com/smarteditor/img/upload.asp
https://www.fabioluciani.com/ae/include/constant.asp
https://www.fabioluciani.com/es/include/include.asp
https://www.geeks-board.com/blog/wp-content/uploads/2017/cache.php
https://www.gonnelli.it/uploads/catalogo/thumbs/thumb.asp
https://www.lyzeum.com/board/bbs/bbs_read.asp
https://www.lyzeum.com/images/board/upload.asp
https://www.polyboatowners.com/css/index.php
https://www.raiestatesandbuilders.com/admin/installer/installer/index.php
https://www.sanlorenzoyacht.com/newsl/include/inc-map.asp
https://www.waterdoblog.com/uploads/index.asp
0aceeb2d38fe8b5ef2899dd6b80bfc08
110e1c46fd9a39a1c86292487994e5bd
156.245.16.55
160d0e396bf8ec87930a5df46469a960
16824dfd4a380699f3841a6fa7e52c6d
254a7a0c1db2bea788ca826f4b5bf51a
6f0c7cbd57439e391c93a2101f958ccd
85621411e4c80897c588b5df53d26270
a611d023dfdd7ca1fab07f976d2b6629
aa74ed16b0057b31c835a5ef8a105942
ac86d95e959452d189e30fa6ded05069
bea90d0ef40a657cb291d25c4573768d
e7aa0237fc3db67a96ebd877806a2c88
fc9e7dc13ce7edc590ef7dfce12fe017
http://156.245.16.55/admin/admin.asp
http://forum.iron-maiden.ru/core/cache/index.php
http://fredrikarnell.com/marocko2014/index.php
http://roit.co.kr/xyz/mainpage/view.asp
http://www.au-pair.org/admin/Newspaper.asp
http://www.au-pair.org/admin/login.asp
http://www.colasprint.com/_vti_log/upload.asp
http://www.djasw.or.kr/sub/popup/images/upfiles.asp
http://www.juvillage.co.kr/img/upload.asp
http://www.kbcwainwrightchallenge.org.uk/connections/dbconn.asp
http://www.kwwa.org/DR6001/FN6006LS.asp
http://www.kwwa.org/popup/160307/popup_160308.asp
http://www.sanatoliacare.com/include/index.asp
https://americanhotboats.com/forums/core/cache/index.php
https://cloudarray.com/images/logo/videos/cache.jsp
https://docentfx.com/wp-admin/includes/upload.php
https://forum.snowreport.gr:443/cache/template/upload.php
https://kannadagrahakarakoota.org/forums/admincp/upload.php
https://martiancartel.com/forum/customavatars/avatars.php
https://mdim.in.ua:443/core/cache/index.php
https://newidealupvc.com:443/img/prettyPhoto/jquery.max.php
https://polyboatowners.com/2010/images/BOTM/upload.php
https://prototypetrains.com:443/forums/core/cache/index.php
https://ryanmcbain.com/forum/core/cache/upload.php
https://shinwonbook.co.kr/basket/pay/open.asp
https://shinwonbook.co.kr/board/editor/upload.asp
https://theforceawakenstoys.com/vBulletin/core/cache/upload.php
https://www.astedams.it/photos/image/image.asp
https://www.automercado.co.cr/empleo/css/main.jsp
https://www.curiofirenze.com/include/inc-site.asp
https://www.dellarocca.net/it/content/img/img.asp
https://www.digitaldowns.us/artman/exec/upload.php
https://www.dronerc.it/forum/uploads/index.php
https://www.dronerc.it/shop_testbr/Adapter/Adapter_Config.php
https://www.edujikim.com/intro/blue/view.asp
https://www.edujikim.com/pay/sample/INIstart.asp
https://www.edujikim.com/smarteditor/img/upload.asp
https://www.fabioluciani.com/ae/include/constant.asp
https://www.fabioluciani.com/es/include/include.asp
https://www.geeks-board.com/blog/wp-content/uploads/2017/cache.php
https://www.gonnelli.it/uploads/catalogo/thumbs/thumb.asp
https://www.lyzeum.com/board/bbs/bbs_read.asp
https://www.lyzeum.com/images/board/upload.asp
https://www.polyboatowners.com/css/index.php
https://www.raiestatesandbuilders.com/admin/installer/installer/index.php
https://www.sanlorenzoyacht.com/newsl/include/inc-map.asp
https://www.waterdoblog.com/uploads/index.asp