A prolific North Korean state-sponsored hacking group aka Lazarus has been tied to a new ongoing espionage campaign aimed at exfiltrating sensitive information from organizations in the defense industry leveraging a tool called ThreatNeedle

The campaign leverages a multi-step approach that begins with a carefully crafted spear-phishing attack leading eventually to the attackers gaining remote control over the devices.

ThreatNeedle is delivered to targets via COVID-themed emails with malicious Microsoft Word attachments as initial infection vectors that, when opened, run a macro containing malicious code designed to download and execute additional payloads on the infected system.

The next-stage malware functions by embedding its malicious capabilities inside a Windows backdoor that offers features for initial reconnaissance and deploying malware for lateral movement and data exfiltration. Taking control of whole system

ThreatNeedle overlaps another malware family called Manuscrypt that has been used by Lazarus Group in previous hacking campaigns against the cryptocurrency and mobile games industries.

Manuscrypt was also deployed in a Lazarus Group involved targeting the cybersecurity community with opportunities to collaborate on vulnerability research, only to infect victims with malware that could cause the theft of exploits developed by the researchers for possibly undisclosed vulnerabilities, thereby using them to stage further attacks on vulnerable targets of their choice.

Attackers bypassed network segmentation protections in an unnamed enterprise network by “gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the intranet network to their remote server.”

The Lazarus group has focused on attacking financial institutions around the world. Beginning in early 2020, they focused on aggressively attacking the defense industry. They utilized the ThreatNeedle malware used in this attack when targeting cryptocurrency businesses, it is currently being actively used in cyberespionage attacks.