The fake pdf attached to the "PURCHASE ORDER 05-30-2023" email contains a link, from which you download a tgz file with a TAR, inside which there is an exe: the malware.
Cyber Espionage, Lazarus targets Defense industry with ThreatNeedle
Kaspersky: Lazarus is targeting the Defense industry with a custom malware, dubbed ThreatNeedle. It is a backdoord
Lazarus is targeting the Defense industry with a custom malware, dubbed ThreatNeedle. It has been discovered by Kaspersky cybersecurity experts, who detected a cyber espionage campaign. The North Korea APT’s backdoor moves laterally through infected networks and extracts confidential information. So far, organizations in more than a dozen countries have been affected. The initial infection occurs through spear phishing in which targets receive emails that contain either a malicious Word attachment or a link to one hosted on company servers. Often times, the emails claimed to have urgent updates related to the pandemic and supposedly came from a respected medical center. If the malicious document is opened, the malware is dropped and proceeds to the next stage of the deployment process. Once installed, it is able to obtain full control of the victim’s device.
The cybersecurity experts: The North Korea APT’s malware moves laterally through infected networks and extracts confidential information
According the cybersecurity experts,one of the most interesting techniques in this Lazarus cyber espionage campaign is the group’s ability to steal data from both office IT networks and a plant’s restricted network. According to company policy, no information is supposed to be transferred between these two networks. However, administrators could connect to both of them to maintain these systems. The North Korea’s APT was able to obtain control of administrator workstations and then set up a malicious gateway to attack the restricted network and to steal and extract confidential data from there.