Category | Details |
---|---|
Threat Actors | ScarCruft (APT37, Inky Squid, Group123), Lazarus Group |
Campaign Overview | Compromise of Russian defense industrial base, NPO Mashinostroyeniya; use of OpenCarrot backdoor and RokRAT by two DPRK-affiliated threat actors. |
Target Regions (Victims) | NPO Mashinostroyeniya, a Russian missile and military spacecraft manufacturer under JSC Tactical Missiles Corporation. |
Methodology | Network intrusion, backdoor deployment, exploitation of internal IT infrastructure, malware communication via compromised email server. |
Product Targeted | Internal IT systems, email server hosted at vpk.npomash[.]ru |
Malware Reference | OpenCarrot backdoor, RokRAT |
Tools Used | Malware loaders, Oreans Code Virtualizer, Themida |
Vulnerabilities Exploited | Not explicitly identified, but suspicious communications and DLL file exploitation mentioned. |
TTPs | Reconnaissance, DLL injection, persistence via Windows services, long sleep intervals, ICMP pinging, command execution through local and remote sources. |
Attribution | North Korean threat actors (ScarCruft and Lazarus); potential collaboration or shared infrastructure. |
Recommendations | Strengthen monitoring of suspicious network activity; ensure timely detection of beaconing processes; improve endpoint defenses against backdoors. |
Source | Sentinelone |
Read full article: https://nl.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/
The above summary has been generated by an AI language model
Leave a Reply