Press ESC to close

Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company

Category Details
Threat Actors ScarCruft (APT37, Inky Squid, Group123), Lazarus Group
Campaign Overview Compromise of Russian defense industrial base, NPO Mashinostroyeniya; use of OpenCarrot backdoor and RokRAT by two DPRK-affiliated threat actors.
Target Regions (Victims) NPO Mashinostroyeniya, a Russian missile and military spacecraft manufacturer under JSC Tactical Missiles Corporation.
Methodology Network intrusion, backdoor deployment, exploitation of internal IT infrastructure, malware communication via compromised email server.
Product Targeted Internal IT systems, email server hosted at vpk.npomash[.]ru
Malware Reference OpenCarrot backdoor, RokRAT
Tools Used Malware loaders, Oreans Code Virtualizer, Themida
Vulnerabilities Exploited Not explicitly identified, but suspicious communications and DLL file exploitation mentioned.
TTPs Reconnaissance, DLL injection, persistence via Windows services, long sleep intervals, ICMP pinging, command execution through local and remote sources.
Attribution North Korean threat actors (ScarCruft and Lazarus); potential collaboration or shared infrastructure.
Recommendations Strengthen monitoring of suspicious network activity; ensure timely detection of beaconing processes; improve endpoint defenses against backdoors.
Source Sentinelone

Read full article: https://nl.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/

The above summary has been generated by an AI language model

Stay Updated with Our Newsletter

Source: Sentinelone Labs

Published on: August 7, 2023

Leave a Reply

Your email address will not be published. Required fields are marked *