No Pineapple! –DPRK Targeting of Medical Research and Technology Sector

Summary

During Q4 2022, WithSecure™ detected and responded to a cyber attack conducted by a threat actor that WithSecure™ have attributed with high confidence to an intrusion set referred to as Lazarus Group. Attribution with high confidence was based off of overlapping techniques tactics and procedures as well as an operational security mistake by the threat actor. Amongst technical indications, the incident observed by WithSecure™ also contains characteristics of recent campaigns attributed to Lazarus Group by other researchers.

The campaign targeted public and private sector research organizations, the medical research and energy sector as well as their supply chain. The motivation of the campaign is assessed to be most likely for intelligence benefit. Previous reporting on similar campaigns highlights the targeting of technology with military implementations and WithSecure™ assesses that this type of targeting continued through Q4 2022.

WithSecure™ Threat Intelligence has named this report ‘No Pineapple’ due to an error message in a backdoor which will append < No Pineapple! > in the event data when it exceeds segmented byte size.

Key Incident Points

• Initial compromise and privilege escalation was through exploitation of known vulnerabilities in unpatched Zimbra devices
• Threat actor used off the shelf webshells and custom binaries, as well as abusing legitimate Windows and Unix tools (Living Off the Land)
• Threat actor installed tools for proxying, tunnelling and relaying connections
• C2 behavior suggests a small number of C2 servers connecting via multiple relays/endpoints. Some C2 servers appear to themselves be compromised victims 
• Threat actor exfiltrated ~100GB of data but took no destructive action by the point of disruption
• Other observed possible victim verticals and exfiltration by the threat actor imply the motive is intelligence collection
• Strong confidence that threat actor is North Korean state sponsored intrusion set Lazarus Group

WithSecure™ Detection Coverage 

WithSecure™ Elements Endpoint Protection and Endpoint Detection and Response offer multiple detections to identify the malicious actions detailed in the report, including: 

WithSecure™ Elements Endpoint Protection

• Backdoor:W64/BindShell.*
• Backdoor:W32/Rease.*
• Riskware:W32/3proxy.*
• Backdoor:W64/Acres.*
• Trojan-Dropper:W64/DTrack.*
• PotentiallyUnwanted:W32/App.relch
• Malware.Java/Webshell.G
• Backdoor:Java/Webshell.B

WithSecure™ Elements Endpoint Detection and Response

• Impacket atremote
• Custom malware executed
• Uncommon jsp accessed in zimbra
• Cobalt strike jquery malleable c2 profile
• Credentials extracted from lsass memory
• Enable wdigest uselogoncredential