S0665 ThreatNeedle
ThreatNeedle is a backdoor that has been used by Lazarus Group since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of Lazarus Group‘s Manuscrypt (a.k.a. NukeSped) malware family.1
| Item | Value |
|---|---|
| ID | S0665 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 30 November 2021 |
| Last Modified | 26 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | ThreatNeedle can be loaded into the Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneDrives.lnk) as a Shortcut file for persistence.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | ThreatNeedle can run in memory and register its payload as a Windows service.1 |
| enterprise | T1005 | Data from Local System | ThreatNeedle can collect data and files from a compromised host.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | ThreatNeedle can decrypt its payload using RC4, AES, or one-byte XORing.1 |
| enterprise | T1083 | File and Directory Discovery | ThreatNeedle can obtain file and directory information.1 |
| enterprise | T1105 | Ingress Tool Transfer | ThreatNeedle can download additional tools to enable lateral movement.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | ThreatNeedle chooses its payload creation path from a randomly selected service name from netsvc.1 |
| enterprise | T1112 | Modify Registry | ThreatNeedle can modify the Registry to save its configuration data as the following RC4-encrypted Registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon.1 |
| enterprise | T1027 | Obfuscated Files or Information | ThreatNeedle has been compressed and obfuscated using RC4, AES, or XOR.1 |
| enterprise | T1027.011 | Fileless Storage | ThreatNeedle can save its configuration data as a RC4-encrypted Registry key under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | ThreatNeedle has been distributed via a malicious Word document within a spearphishing email.1 |
| enterprise | T1082 | System Information Discovery | ThreatNeedle can collect system profile information from a compromised host.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | ThreatNeedle relies on a victim to click on a malicious document for initial execution.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | 1 |