Fri | Feb 3, 2023 | 5:37 AM PST

The North Korean state-sponsored cybergang known as Lazarus Group has been identified as the force behind a new cyber espionage campaign that allowed the group to stealthily steal 100GB of data from victims.

The campaign was given the nickname "No Pineapple!" due to an error message found in a backdoor used by the group. The campaign was discovered by Finnish cybersecurity firm WithSecure, which was investigating a potential ransomware incident.

The operation took place between August and November 2022 and targeted organizations in medical research, healthcare, chemical engineering, energy, defense, and a leading research university. 

Lazarus used new infrastructure, relying on IP addresses without domain names, and a new version of the Dtrack info-stealer malware, along with a new version of the GREASE malware for admin account creation and protection bypass.

The hackers breached the network by exploiting the Zimbra vulnerabilities, CVE-2022-27925 and CVE-2022-37042, and deployed a webshell to the target's mail server.

WithSecure shared some key incident points in its report:

  • "Initial compromise and privilege escalation was through exploitation of known vulnerabilities in unpatched Zimbra devices."
  • "Threat actor used off the shelf webshells and custom binaries, as well as abusing legitimate Windows and Unix tools (Living Off the Land)."
  • "Threat actor installed tools for proxying, tunneling and relaying connections."
  • "C2 behavior suggests a small number of C2 servers connecting via multiple relays/endpoints. Some C2 servers appear to themselves be
    compromised victims."
  • "Threat actor exfiltrated ~100GB of data but took no destructive action by the point of disruption."
  • "Other observed possible victim verticals and exfiltration by the threat actor imply the motive is intelligence collection."
  • "Strong confidence that threat actor is North Korean state sponsored intrusion set LAZARUS Group."

However, even the sophisticated Lazarus Group made mistakes in this operation. WithSecure revealed that one of the webshells was communicating with a North Korean IP address and various commands executed on the breached network devices contained mistakes and did not execute.

WithSecure linked the operation to Lazarus based on TTP overlaps, infrastructure overlaps, time-zone analysis, and employed malware strains.

WithSecure's report highlights the continued efforts of Lazarus Group to gather intelligence and steal data from organizations. It is crucial for organizations to keep their systems and software up-to-date with the latest security patches and to implement security measures to detect and prevent such attacks.

See the report by WithSecure, No Pineapple! –DPRK Targeting of Medical Research and Technology Sector, for more information.

Follow SecureWorld News for more stories related to cybersecurity.

Related articles:
Lazarus APT Targeting Cryptocurrency, CISA Warns
North Korean APT Lazarus Targets Energy Sector in US, Canada, Japan