'No Pineapple' Hacking Campaign Reveals North Korean ToolkitEspionage Campaign Bore Telltale Signs of Pyongyang - And a Major OPSEC Failure
A threat intelligence firm spotted North Korean hackers engaged in technological espionage in a campaign that betrayed recurring elements of the Pyongyang hacking toolkit.
Cybersecurity firm WithSecure says* it detected a campaign targeting the medical research and energy sectors that came to its attention after endpoint detection scans showed a Cobalt Strike beacon on a customer's servers connecting to known threat actor IP addresses.
Researchers from the Finnish company dub the campaign "No Pineapple," taking the name from the apparently fruit-loving software developer of a remote access Trojan called acres.exe deployed by the hackers. The tool truncates data exfiltration messages greater than 1,024 bytes with the message "No Pineapple!"
Many campaign indicators point to North Korea and possibly to the government hacking unit Mandiant identifies as Bureau 325. Attribution to North Korean hackers often occurs under the catchall rubric of Lazarus Group, but Mandiant argues that different cyber units specialize in different types of operations despite nearly all North Korean cyber activity originating from inside the Reconnaissance General Bureau.
The totalitarian regime is most famous for state-sponsored cryptocurrency theft but cyberespionage remains an ongoing concern.
The most obvious connection to North Korea spotted by WithSecure came after a review of network logs of servers held by the first known campaign victim. The review revealed inbound connections from a North Korean internet protocol address.
"We suspect that this instance was an operational security failure by the threat actor at the start of their workday and after a small delay they came back via the intended route," WithSecure writes.
Other indicators exist besides a momentary but revealing operational security, or OPSEC, failure. They include hackers' usage of the Dtrack backdoor and Grease malware, a combination seen in activities of the North Korean Kimsuky threat group. Grease is malware capable of adding Windows administrator accounts and enabling remote desktop protocol. The Dtrack variant analyzed by researchers was similar to a variant used by North Korean hackers in a 2019 cyberattack against an Indian nuclear power plant.
The acres malware used to exfiltrate data - the malware responsible for the "No Pineapple" campaign name - is also similar to a remote access Trojan dubbed MagicRAT by researchers at Cisco Talos. Other evidence helping WithSecure to assess "with strong confidence" that North Korea perpetrated the cyberespionage campaign includes hackers' use of 3Proxy, Plink and Stunnel to establish persistence.
WithSecure also found North Korean influences in the passwords set by the threat actors. They all had a similar format, "most likely made by making a pattern on a U.S. layout keyboard." Examples include "1qaz123!@#" and "1qaz@@@#A@/add."
Campaign activity also happened to coincide with the Pyongyang working hours, beginning at midnight Universal Coordinated Time, which is 9 a.m. on the Korean Peninsula.
In all, hackers in the "No Pineapple" campaign stole 100 gigabytes of data.
*Update Feb. 2, 2023 15:46 UTC: Adds link to WithSecure blog post detailing the "No Pineapple" hacking campaign.