| Category | Details |
|---|---|
| Threat Actors | ScarCruft (APT37, Inky Squid, Group123), Lazarus Group |
| Campaign Overview | Compromise of Russian defense industrial base, NPO Mashinostroyeniya; use of OpenCarrot backdoor and RokRAT by two DPRK-affiliated threat actors. |
| Target Regions (Victims) | NPO Mashinostroyeniya, a Russian missile and military spacecraft manufacturer under JSC Tactical Missiles Corporation. |
| Methodology | Network intrusion, backdoor deployment, exploitation of internal IT infrastructure, malware communication via compromised email server. |
| Product Targeted | Internal IT systems, email server hosted at vpk.npomash[.]ru |
| Malware Reference | OpenCarrot backdoor, RokRAT |
| Tools Used | Malware loaders, Oreans Code Virtualizer, Themida |
| Vulnerabilities Exploited | Not explicitly identified, but suspicious communications and DLL file exploitation mentioned. |
| TTPs | Reconnaissance, DLL injection, persistence via Windows services, long sleep intervals, ICMP pinging, command execution through local and remote sources. |
| Attribution | North Korean threat actors (ScarCruft and Lazarus); potential collaboration or shared infrastructure. |
| Recommendations | Strengthen monitoring of suspicious network activity; ensure timely detection of beaconing processes; improve endpoint defenses against backdoors. |
| Source | Sentinelone |
Read full article: https://nl.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/
The above summary has been generated by an AI language model
Leave a Reply