1. Home
  2. Software
  3. ThreatNeedle

ThreatNeedle

ThreatNeedle is a backdoor that has been used by Lazarus Group since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of Lazarus Group's Manuscrypt (a.k.a. NukeSped) malware family.[1]

ID: S0665
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 30 November 2021
Last Modified: 10 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

ThreatNeedle can collect data and files from a compromised host.[1]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

ThreatNeedle chooses its payload creation path from a randomly selected service name from netsvc.[1]
Enterprise T1112 修改注册表

ThreatNeedle can modify the Registry to save its configuration data as the following RC4-encrypted Registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon.[1]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

ThreatNeedle can run in memory and register its payload as a Windows service.[1]
Enterprise T1140 反混淆/解码文件或信息

ThreatNeedle can decrypt its payload using RC4, AES, or one-byte XORing.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

ThreatNeedle can be loaded into the Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneDrives.lnk) as a Shortcut file for persistence.[1]
Enterprise T1083 文件和目录发现

ThreatNeedle can obtain file and directory information.[1]
Enterprise T1027 .011 混淆文件或信息: Fileless Storage

ThreatNeedle can save its configuration data as a RC4-encrypted Registry key under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon.[1]
.013 混淆文件或信息: Encrypted/Encoded File

ThreatNeedle has been compressed and obfuscated using RC4, AES, or XOR.[1]
Enterprise T1204 .002 用户执行: Malicious File

ThreatNeedle relies on a victim to click on a malicious document for initial execution.[1]
Enterprise T1082 系统信息发现

ThreatNeedle can collect system profile information from a compromised host.[1]
Enterprise T1105 输入工具传输

ThreatNeedle can download additional tools to enable lateral movement.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

ThreatNeedle has been distributed via a malicious Word document within a spearphishing email.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group

[1]

References

  1. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.