Suspected Nork digital intruders caught breaking into US healthcare, education orgs
Digital intruders with possible links to North Korea have been infecting US education and healthcare sectors with a never-before-seen backdoor since at least December, according to security researchers.
"We observed that the attacker had infected several educational institutions, including a university that is connected to several other institutions, indicating a potential wider attack surface," Cisco Talos researcher Chetan Raghuprasad told The Register. "Additionally, one of the affected entities was a healthcare facility, specifically for elderly care.
"Based on the nature of the victimology in the current intrusions, the actor likely has a motive for financial gain," Raghuprasad added.
Talos spotted the ongoing campaign, attributed to a group it tracks as UAT-10027, and says "with low confidence" that it's a North Korean crew based on similarities to Lazarus Group and other Pyongyang-backed gangs.
The attackers likely gain initial access via social engineering and phishing, we're told, and the multi-stage infection ultimately delivers a new backdoor, Dohdoor, which shares similar technical characteristics to Lazarus Group's Lazarloader malware.
After gaining access - potentially through a phishing email - the intruders execute a PowerShell downloader that runs a Windows batch script dropper from a remote staging server. The batch script then orchestrates a dynamic-link library (DLL) sideloading technique to execute a malicious Windows DLL named "propsys.dll" or "batmeter.dll."
Brand new Dohdoor
The DLL, which Talos calls "Dohdoor," operates as a loader, and it downloads, decrypts, and executes malicious payloads within legitimate Windows processes. This gives the intruders backdoor access to the victim's environment so it can download the next payload - a Cobalt Strike Beacon - into the machine's memory.
UAT-10027 uses several stealthy techniques to help it avoid detection, including setting up command-and-control (C2) domains using Cloudflare infrastructure and using a technique called DNS-over-HTTPS to resolve the C2 server IP address. This helps the attackers bypass DNS security tools by ensuring all outbound traffic from compromised machines looks like legitimate HTTPS traffic to a trusted IP address.
Dohoor also uses a technique called process hollowing to inject the payload into a legitimate Windows binary, allowing the malware to run without being detected.
Additionally, Talos observed the new backdoor using an endpoint detection and response (EDR) bypass technique to bypass endpoint security tools that monitor Windows API calls. The backdoor does this by by unhooking system calls through user mode hooks in ntdll.dll.
"The NTDLL unhooking technique used to bypass EDR monitoring by identifying and restoring system call stubs aligns with features found in earlier Lazarloader variants," Talos' researchers Alex Karkins and Chetan Raghuprasad said in a Thursday report.
They also noted that using DNS-over-HTTPS (DoH) via Cloudflare's DNS service, the process hollowing technique, and sideloading malicious DLLs in disguised file name "propsys.dll," have all been used in earlier Lazarus campaigns.
"While UAT-10027's malware shares technical overlaps with the Lazarus Group, the campaign's focus on the education and health care sectors deviates from Lazarus' typical profile of cryptocurrency and defense targeting," the duo said.
That assertion may be slightly out of date: Symantec and Carbon Black threat hunters earlier this week warned that Lazarus has begun using Medusa ransomware in extortion attacks targeting at least one US healthcare organization.
One of Lazarus' most prolific subgroups, Andariel, which acts as the cyber-arm of North Korea's military intelligence agency, has previously used Maui and Play ransomware in its intrusions - including those targeting the healthcare sector. Additionally, Kimsuky, another one of Pyongyang's intelligence-gathering goon squads, has hit the education sector in its campaigns. ®
