OpenCarrot Backdoor Deployed by North Korean Threat Actors

Two distinct nation-state groups originating from North Korea have been associated with a cyber intrusion targeting NPO Mashinostroyeniya, a significant Russian company specializing in missile engineering.

According to SentinelOne, a cybersecurity company, they have detected "two instances of cyber compromises related to North Korea involving sensitive internal IT systems." These instances encompass an incident involving the compromise of an email server and the introduction of a Windows backdoor labeled OpenCarrot.

OpenCarrot's Complex Attribution

The breach of the Linux-based email server has been attributed to ScarCruft. On the other hand, the OpenCarrot implant has been previously linked to the Lazarus Group, an established actor in this realm. These attacks were flagged in the middle of May in the year 2022.
Situated in Reutov, the NPO Mashinostroyeniya is a design bureau specializing in rockets. It was subjected to sanctions by the U.S. Treasury Department back in July 2014. These measures were taken due to its connection to "Russia's ongoing efforts to destabilize eastern Ukraine and its continued occupation of Crimea."

Although ScarCruft (also known as APT37) and the Lazarus Group share ties to North Korea, it's worth highlighting that ScarCruft falls under the supervision of the Ministry of State Security (MSS). In contrast, the Lazarus Group operates within Lab 110, a division of the Reconnaissance General Bureau (RGB), which serves as North Korea's primary foreign intelligence agency.

OpenCarrot's Capabilities

The OpenCarrot tool is executed as a dynamic-link library (DLL) for Windows and supports a variety of over 25 commands. These commands facilitate tasks such as reconnaissance, manipulation of file systems and processes, and management of multiple communication methods.

The precise technique used to breach the email server, as well as the series of actions employed to deliver OpenCarrot, remains undisclosed. However, it is known that ScarCruft often employs social engineering tactics to deceive victims and introduce backdoors like RokRat.

Furthermore, upon closer examination of the attack infrastructure, two domains have been identified: centos-packages[.]com and redhat-packages[.]com. Strikingly, these domains share similarities with the names utilized by the threat actors during the JumpCloud hack that occurred in June of 2023.

By Zaib
August 8, 2023
Computer Security
English
August 8, 2023
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Computer Security

North Korean Threat Actor Deploys EarlyRat

Researchers have discovered that the threat actor known as Andariel, aligned with North Korea, utilized a previously unknown malware named EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. In... Read more

June 29, 2023
Trojan

China-linked Threat Actors Unleash the Stealthy Daxin Backdoor

Chinese threat actors appear to be using a new payload, which is a successor of the Daxin malware family that first surfaced in 2013. Of course, ten-year old malware would not fare well against modern antivirus tools... Read more

March 1, 2022
Computer Security

Chinese Threat Actors Hit Big Telecoms

Security researchers published information on three different, yet likely linked cyber campaigns focused on espionage. All attacks have been focused on infiltrating the networks of big telecommunications enterprises.... Read more

August 3, 2021
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.