No Pineapple! - DPRK Targeting of Medical Research and Technology Sector

2023-02-02 With Secure

https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf

Attachments

WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf (3 MB)

Thumbnail for No Pineapple! - DPRK Targeting of Medical Research and Technology Sector

WithSecure attributes the Q4 2022 “No Pineapple” intrusion with high confidence to Lazarus Group, targeting public and private research organizations, medical research, energy-sector entities, and their supply chain for likely intelligence collection. Initial compromise and privilege escalation came through exploitation of unpatched Zimbra devices, followed by web shells, custom binaries, living-off-the-land Windows and Unix tooling, proxying, tunneling, and relay infrastructure. The actor used tooling including Grease, Dtrack, 3Proxy, Stunnel, bind shells, Mimikatz, and web shells, and exfiltrated roughly 100GB of data before disruption. WithSecure’s attribution is grounded in malware and TTP overlaps, time-zone analysis, infrastructure overlap, and an operational-security mistake.

Indicators of Compromise

Type Value First Seen Last Seen
IPv4 175.45.176.27 2023-02-02 2025-01-29
HASH 879fa942f9f097b74fd6f7dabcf1745a 2023-02-02 2024-10-30
IPv4 23.237.32.34 2023-02-02 2024-09-23
YARA lazarus_bindshell 2023-02-02 2023-02-02
YARA lazarus_grease2 2023-02-02 2023-02-02
YARA lazarus_dtrack_unpacked 2023-02-02 2023-02-02
YARA lazarus_dtrack_unpacked 2023-02-02 2023-02-02
HASH af9bc7ef25755982a00aca920ee7ad5… 2023-02-02 2023-02-02
HASH 61156df8e4a5eadac8137c1cbd55145… 2023-02-02 2023-02-02
HASH aa489231455dc2e56e2399edd7c10b5… 2023-02-02 2023-02-02
HASH 7c40d4ded95f425fa01895f9d4359c9… 2023-02-02 2023-02-02
HASH 8b0fb0e478d18a358783429eaed53ca… 2023-02-02 2023-02-02
HASH cbf1529bf025523532666b0b3d2adbd… 2023-02-02 2023-02-02
HASH 46a934e7b42bfb0a2a9bcecade78f63… 2023-02-02 2023-02-02
HASH 407b934895741a1d3b197e4e3c3d2e3… 2023-02-02 2023-02-02
HASH 88df19687e6aa8da376e37a8d71421b… 2023-02-02 2023-02-02
HASH b2b36600ce41129fa85a15a7177a61b… 2023-02-02 2023-02-02
HASH 8c384b77b7100d6469e5e7b5cfa779d… 2023-02-02 2023-02-02
HASH f7564e93c5b4ec2de6f4f88c80c9691… 2023-02-02 2023-02-02
HASH 47f12a1976552a1319bd58d813f213d… 2023-02-02 2023-02-02
HASH 9784a36611c68337698d3be972bd5dca 2023-02-02 2023-02-02
HASH b3b9d4a2cac8ea76f570bbde5249f076 2023-02-02 2023-02-02
HASH 45b35d1176598be7755a6d56ad8009b… 2023-02-02 2023-02-02
HASH 6d0bffe68bc8992b60dc294ec68dd2b… 2023-02-02 2023-02-02
DOMAIN quickconnect.io 2023-02-02 2023-02-02
DOMAIN synology.me 2023-02-02 2023-02-02
IPv4 146.185.26.150 2023-02-02 2023-02-02
IPv4 104.225.129.103 2023-02-02 2023-02-02
IPv4 154.6.26.2 2023-02-02 2023-02-02
IPv4 104.225.129.86 2023-02-02 2023-02-02
IPv4 15.207.207.64 2023-02-02 2023-02-02
IPv4 209.95.60.92 2023-02-02 2023-02-02

Related Reports

« Back