Lazarus group ransomware7/26/2023 "In spite of the opsec fails, the actor demonstrated good tradecraft and still managed to perform considered actions on carefully selected endpoints," warned Tim West, head of threat intelligence at WithSecure. These included the use of new infrastructure, such as the exclusive use of IP addresses with no domain names, a modified version of the Dtrack backdoor and a novel variant of the Grease malware.Īs for the operational security mistake mentioned by WithSecure, the team said the attacker used one out of a 1000 IP addresses belonging to North Korea that was observed connecting to an attacker-controlled web shell. "As we collected more evidence, we became more confident that the attack was conducted by a group connected to the North Korean government."Īccording to the team, the new campaign highlighted several "noteworthy developments" compared to previous Lazarus Group activity. "While this was initially suspected to be an attempted BianLian ransomware attack, the evidence we collected quickly pointed in a different direction," explained WithSecure senior threat intelligence researcher Sami Ruohonen. Writing in an email to Infosecurity, WithSecure has said that after investigating the attack, the team linked it to a broader intelligence-gathering operation. A ransomware attack on targeted research, medical and energy sector organizations has been attributed to North Korea's advanced persistent threat (APT) Lazarus Group after the threat actor committed an "operational security mistake."
0 Comments
Leave a Reply. |