OpenCarrot Backdoor Deployed by North Korean Threat Actors
Two distinct nation-state groups originating from North Korea have been associated with a cyber intrusion targeting NPO Mashinostroyeniya, a significant Russian company specializing in missile engineering.
According to SentinelOne, a cybersecurity company, they have detected "two instances of cyber compromises related to North Korea involving sensitive internal IT systems." These instances encompass an incident involving the compromise of an email server and the introduction of a Windows backdoor labeled OpenCarrot.
OpenCarrot's Complex Attribution
The breach of the Linux-based email server has been attributed to ScarCruft. On the other hand, the OpenCarrot implant has been previously linked to the Lazarus Group, an established actor in this realm. These attacks were flagged in the middle of May in the year 2022.
Situated in Reutov, the NPO Mashinostroyeniya is a design bureau specializing in rockets. It was subjected to sanctions by the U.S. Treasury Department back in July 2014. These measures were taken due to its connection to "Russia's ongoing efforts to destabilize eastern Ukraine and its continued occupation of Crimea."
Although ScarCruft (also known as APT37) and the Lazarus Group share ties to North Korea, it's worth highlighting that ScarCruft falls under the supervision of the Ministry of State Security (MSS). In contrast, the Lazarus Group operates within Lab 110, a division of the Reconnaissance General Bureau (RGB), which serves as North Korea's primary foreign intelligence agency.
OpenCarrot's Capabilities
The OpenCarrot tool is executed as a dynamic-link library (DLL) for Windows and supports a variety of over 25 commands. These commands facilitate tasks such as reconnaissance, manipulation of file systems and processes, and management of multiple communication methods.
The precise technique used to breach the email server, as well as the series of actions employed to deliver OpenCarrot, remains undisclosed. However, it is known that ScarCruft often employs social engineering tactics to deceive victims and introduce backdoors like RokRat.
Furthermore, upon closer examination of the attack infrastructure, two domains have been identified: centos-packages[.]com and redhat-packages[.]com. Strikingly, these domains share similarities with the names utilized by the threat actors during the JumpCloud hack that occurred in June of 2023.