No Pineapple! - DPRK Targeting of Medical Research and Technology Sector
Contents
No Pineapple! –DPRK
Targeting of Medical
Research and
Technology Sector
WithSecure Threat Intelligence
Contents
1. Executive Summary................................................ 4
2. Background............................................................ 5
3. Timeline of events................................................... 6
4. Tactics, Techniques and Procedures...................... 7
Reconnaissance................................................ 7
Resource Development...................................... 7
Execution........................................................... 7
Initial Access...................................................... 7
Persistence........................................................ 7
Passwords.......................................................... 8
Privilege Escalation............................................ 8
Account Creation/Modification........................... 8
Credential Access.............................................. 9
Discovery..........................................................10
Lateral Movement..............................................11
Defense Evasion...............................................11
Command and Control......................................12
Collection..........................................................13
Exfiltration.........................................................14
Other Observations...........................................14
5. Threat Actor Tooling.............................................. 22
Grease.............................................................. 22
SPutty link, 3Proxy & Stunnel........................... 23
Dtrack............................................................... 24
Bind Shell......................................................... 26
Acres.exe......................................................... 26
Mimikatz........................................................... 27
Web Shells....................................................... 27
6. Attribution............................................................. 28
Overlaps in threat actor TTPs
and malware..................................................... 28
Time zone analysis........................................... 28
Operational security fail.................................... 29
Infrastructure Overlap....................................... 29
Threat Actor Context........................................ 30
7. Victimology............................................................31
8. IOCs and Detection.............................................. 32
Mimikatz........................................................... 32
Bind shell.......................................................... 32
GREASE2........................................................ 32
Cobalt Strike..................................................... 32
3Proxy.............................................................. 32
Webshells......................................................... 32
User Agent....................................................... 32
Dtrack............................................................... 32
SSH Public Key................................................ 32
All files.............................................................. 32
IPs.................................................................... 32
Associated Infrastructure................................. 32
Yara rules.......................................................... 33
1. Executive Summary
During Q4 2022, WithSecure™ responded to a
cyber-attack conducted by a threat actor that
WithSecure™ have attributed with high confidence
to an intrusion set referred to as Lazarus Group.
Amongst technical indications, the incident observed
by WithSecure™ also contained characteristics of
recent campaigns attributed to Lazarus Group by …
Targeting of Medical
Research and
Technology Sector
WithSecure Threat Intelligence
Contents
1. Executive Summary................................................ 4
2. Background............................................................ 5
3. Timeline of events................................................... 6
4. Tactics, Techniques and Procedures...................... 7
Reconnaissance................................................ 7
Resource Development...................................... 7
Execution........................................................... 7
Initial Access...................................................... 7
Persistence........................................................ 7
Passwords.......................................................... 8
Privilege Escalation............................................ 8
Account Creation/Modification........................... 8
Credential Access.............................................. 9
Discovery..........................................................10
Lateral Movement..............................................11
Defense Evasion...............................................11
Command and Control......................................12
Collection..........................................................13
Exfiltration.........................................................14
Other Observations...........................................14
5. Threat Actor Tooling.............................................. 22
Grease.............................................................. 22
SPutty link, 3Proxy & Stunnel........................... 23
Dtrack............................................................... 24
Bind Shell......................................................... 26
Acres.exe......................................................... 26
Mimikatz........................................................... 27
Web Shells....................................................... 27
6. Attribution............................................................. 28
Overlaps in threat actor TTPs
and malware..................................................... 28
Time zone analysis........................................... 28
Operational security fail.................................... 29
Infrastructure Overlap....................................... 29
Threat Actor Context........................................ 30
7. Victimology............................................................31
8. IOCs and Detection.............................................. 32
Mimikatz........................................................... 32
Bind shell.......................................................... 32
GREASE2........................................................ 32
Cobalt Strike..................................................... 32
3Proxy.............................................................. 32
Webshells......................................................... 32
User Agent....................................................... 32
Dtrack............................................................... 32
SSH Public Key................................................ 32
All files.............................................................. 32
IPs.................................................................... 32
Associated Infrastructure................................. 32
Yara rules.......................................................... 33
1. Executive Summary
During Q4 2022, WithSecure™ responded to a
cyber-attack conducted by a threat actor that
WithSecure™ have attributed with high confidence
to an intrusion set referred to as Lazarus Group.
Amongst technical indications, the incident observed
by WithSecure™ also contained characteristics of
recent campaigns attributed to Lazarus Group by …