Hacker in black hood stealing data.

North Korean Hackers Stole Research Data Using Zimbra Vulnerability

North Korean hackers were involved in a new cyberattack operation known as “No Pineapple” that enables threat actors to take a victim’s data quietly and without causing any damage.

The campaign ran from August to November 2022. A manufacturer of technology used in the energy, research, defence, and healthcare sectors was among the targets of the malicious operation, which may have been an effort to compromise the supply chain. Other targets included a chemical engineering department at a reputed research university and an organisation that operates healthcare research in India.

This information comes from the Finnish cybersecurity firm WithSecure (formerly F-Secure), who gave the event the codename “No Pineapple” in recognition of an error message seen in one of the backdoors.

Using a variety of evidence, WithSecure was able to identify the activity, but it also discovered some new Lazarus activity. The evidence includes the usage of developing systems with IP addresses without domain names and a new iteration of the malware known as Dtrack, which steals sensitive information.

Lazarus is a skilled Advanced Persistent Threat (APT) group that is commonly believed to be part of North Korea’s Foreign Intelligence and Reconnaissance Bureau.

The energy sector, medical research, governmental and private research institutions, and the energy industry’s supply chain have all been listed as active targets of the North Korean hacking group Lazarus.

North Korean Hackers Techniques to Compromise data:

In August 2022, the Lazarus hackers compromised the victim’s network by using the Zimbra vulnerabilities CVE-2022-27925 and CVE-2022-37042 to deploy a web shell into the target’s mail server. The first access might be exploited to enable remote code execution on the host system.

The hackers used the tunnel tools “Plink” and “3Proxy” to build reverse tunnels back to the network of the threat actors after successfully compromising the network, enabling the attack vectors to bypass the firewall.

According to reports, the attacker involved in lateral movement, reconnaissance, and finally the deployment of backdoors like Dtrack and a newer version of GREASE in October 2022.

GREASE has been recognized as the development of Kimsuky, a different North Korean threat group. It can establish new administrator accounts with remote desktop protocol (RDP) access while also bypassing firewall rules. The virus used the PrintNightmare vulnerability to get administrative access during host execution as a DLL (“Ord.dll”).

After the hacker group gained access to an anonymous client, it is anticipated that over 100GB of data was downloaded. The breach most likely occurred in the third quarter of 2022.

The threat actors’ working hours were figured out by WithSecure to be 9 AM to 10 PM, between Monday and Saturday.

In a report, WithSecure clarified:

Time zone attribution analysis concluded that the time zone aligns with UTC +9. Reviewing activity by time of day finds that most threat actor activity occurred between 00:00 to 15:00 UTC (09:00 and 21:00 UTC +9). Analysing activity by day of the week suggests that the threat actor was active Monday to Saturday, a common work pattern for DPRK.

Lazarus' latest campaign's working hours
Lazarus’ latest campaign’s working hours (WithSecure)

North Korean Hackers have been active in 2022, carrying out several cryptocurrency hijackings and cyber warfare attacks that help the government’s objectives.

According to Chainalysis, a blockchain analytics company:

North Korea-linked hackers such as those in cybercriminal syndicate Lazarus Group have been by far the most prolific cryptocurrency hackers over the last few years. 2022 was the biggest year ever for crypto hacking.

WithSecure’s assessment of the victim’s collected network records indicated that one of the attackers’ web shells was connecting with a North Korean IP address(

According to WithSecure, the commands executed on the compromised network devices were very similar to those embedded into the Lazarus malware. However, they frequently had errors and failed to run, indicating that the cybercriminals were manually inputting them using the Impacket “atexec” function.

Highly skilled cyber attackers like Lazarus sometimes make mistakes, which in this case allowed the hacker group to be blamed for the campaigns.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on, you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks.

Recent posts