A new cyber espionage campaign, known as No Pineapple!, has been attributed to the North Korean Lazarus hacking group. This campaign allowed the threat actors to steal 100GB of data from the victim without causing any destruction. The attack took place between August and November 2022, targeting organizations in medical research, healthcare, chemical engineering, energy, defense, and a leading research university. The operation was discovered by Finnish cybersecurity firm WithSecure, who were called to investigate a potential ransomware incident. The campaign is named after the < No Pineapple! > error seen transmitted by a remote access malware when uploading stolen data to the threat actors servers. The hackers used the CVE-2022-27925 and CVE-2022-37042 Zimbra vulnerabilities to drop a webshell on the targets mail server. This RCE flaw was patched in May 2022, but the authentication bypass took Zimbra until August 12th to release a security update. After successfully breaching the network, the hackers deployed tunneling tools Plink and 3Proxy to create reverse tunnels back to the threat actors infrastructure, allowing them to bypass the firewall. The threat actors then began utilizing modified scripts to extract approximately 5GB of email messages from the server and save them to a locally stored CSV file, which was later uploaded to the attackers server. Over the next two months, the hackers spread laterally through the network, acquiring administrator credentials and stealing data from devices. They deployed multiple custom tools, such as Dtrack and what is believed to be a new version of the GREASE malware, used to locate Windows administrator accounts. The attack culminated on November 5th, 2022, with the actors stealing 100GB of data from the compromised organization. WithSecure was able to analyze the work patterns of the threat actors, stating that they worked Monday through Saturday from 9 AM to 10 PM in the UTC +9 time zone. They also found that the threat actors relied solely on IP addresses without domain names for their infrastructure, and that they had deployed a new Dtrack variant dropped by an executable named onedriver.exe. This variant no longer uses its own C2 server for data exfiltration, instead relying on a separate backdoor to transfer the data it has gathered locally on the compromised machine. WithSecure was also able to link these operations to Lazarus based on TTP overlaps, malware strains, infrastructure overlaps, and time-zone analysis. This is another indication of Lazarus activity, with the threat group continuing its efforts to gather intelligence and exfiltrate large amounts of data from high-profile victims.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 02 Feb 2023 17:57:02 +0000