Keypoints
- SentinelLabs found two DPRK-affiliated intrusions at NPO Mashinostroyeniya: an email server compromise and a Windows backdoor (OpenCarrot) on internal hosts.
- The Linux email server vpk.npomash[.]ru (185.24.244[.]11) was beaconing to infrastructure attributed to ScarCruft, consistent with RokRAT-related tooling and techniques.
- OpenCarrot — attributed to Lazarus — was implemented as a persistent Windows service DLL and supports >25 backdoor commands including reconnaissance, filesystem/process manipulation, and C2 proxying.
- OpenCarrot uses code virtualization (.vlizer section via Oreans/Themida), encrypted configuration files named with the service + dll.mui extension, and long-sleep/drive-monitoring logic to avoid detection.
- Malicious infrastructure included domains centos-packages[.]com and redhat-packages[.]com resolving to VPS hosts (CrownCloud/OhzCloud), with later overlap to QuickPacket IPs used by ScarCruft (e.g., 160.202.79[.]226 and dallynk[.]com).
- Evidence indicates operators paused/terminated C2 infrastructure quickly after discovery (May 2022), and historical overlaps underscore the importance of time-scoped attribution for IPs and domains.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Brief description: delivery of malicious archives/attachments to deliver OpenCarrot and tools (‘The attackers used spear phishing emails to deliver a malicious ZIP file containing a Windows backdoor dubbed OpenCarrot and a compromised email server.’)
- [T1204] User Execution – Brief description: victims executed payloads delivered via phishing attachments (‘Victims were tricked into executing the malicious payload by opening the attachments in the phishing emails.’)
- [T1059.001] Command and Scripting Interpreter: PowerShell – Brief description: PowerShell used to run payloads and perform system actions (‘PowerShell commands were used to execute the malicious payload and perform various actions on the compromised systems.’)
- [T1543.003] Create or Modify System Process: Windows Service – Brief description: OpenCarrot implemented as a service DLL for persistence (‘The OpenCarrot backdoor was implemented as a Windows service DLL file to ensure persistent execution.’)
- [T1027] Obfuscated Files or Information – Brief description: code virtualization and encrypted configuration used to hide functionality (‘OpenCarrot implements executable code in a section named .vlizer indicating the use of code virtualization for obfuscation.’)
- [T1036] Masquerading – Brief description: use of legitimate-looking resource names/extensions to blend in (‘The use of configuration files with the dll.mui extension mimics a lesser-known Windows resource file to conceal C2 configuration.’)
- [T1055] Process Injection – Brief description: malware supports DLL injection and process manipulation to evade detection and execute code in other processes (‘Process termination, DLL injection, and file deletion, renaming, and timestomping.’)
- [T1016] System Network Configuration Discovery – Brief description: network scanning and ICMP pings to enumerate hosts and open ports (‘File and process attribute enumeration, scanning and ICMP-pinging hosts in IP ranges for open TCP ports and availability.’)
- [T1114.002] Email Collection: Remote Email Collection – Brief description: compromised mail server used to gather emails and credentials (‘The compromised vpk.npomash[.]ru email server was used to collect internal emails and credentials.’)
- [T1071] Application Layer Protocol – Brief description: multiple C2 communication methods including proxying through internal hosts and direct external connections (‘OpenCarrot used multiple methods for communicating with C2 servers, including proxying through internal hosts and direct external connections.’)
- [T1041] Exfiltration Over C2 Channel – Brief description: collected data transmitted via established C2 channels (‘The attackers exfiltrated collected data through the C2 channel established by the OpenCarrot backdoor.’)
- [T1485] Data Destruction – Brief description: deletion/timestomping of files to remove evidence (‘Internal emails indicate that the attackers identified and deleted a suspicious DLL file, possibly to remove traces.’)
Indicators of Compromise
- [MD5] Backdoor/sample hashes – 9216198a2ebc14dd68386738c1c59792, 6ad6232bcf4cef9bf40cbcae8ed2f985, and 5 more hashes
- [SHA1] Backdoor/sample hashes – 07b494575d548a83f0812ceba6b8d567c7ec86ed, 2217c29e5d5ccfcf58d2b6d9f5e250b687948440, and 5 more hashes
- [Domains] Malicious/impersonation domains used for C2 and payload delivery – centos-packages[.]com, redhat-packages[.]com, dallynk[.]com, and others (yolenny[.]com, 606qipai[.]com, asplinc[.]com)
- [Hostnames] Compromised public service – vpk.npomash[.]ru (business Red Hat email server) – resolved to 185.24.244[.]11
- [IP Addresses] C2 and hosting IPs – 192.169.7[.]197 (C2 observed Jan–May 2022), 5.134.119[.]142, 160.202.79[.]226, and 96.9.255[.]150
- [Filenames/Config] Malware artifact and config naming – service DLL implemented with configuration file using the dll.mui extension (service-name + dll.mui)
The technical intrusion path combined a persistent Windows service DLL (OpenCarrot) and a long-running compromise of a public Red Hat email server (vpk.npomash[.]ru). OpenCarrot was built as a service DLL exporting ServiceMain, loading encrypted configuration from a file named using the host service name plus a dll.mui extension, and implemented code virtualization in a .vlizer section (Oreans/Themida). The binary contained over 25 commands covering reconnaissance (file/process enumeration, IP range scanning, ICMP), filesystem/process manipulation (DLL injection, process termination, file deletion/renaming/timestomping), C2 reconfiguration and proxying, and multiple execution paths including listening TCP ports and named pipes.
Operational behavior included long sleep intervals with an early-wakeup mechanism monitoring for removable media insertion, support for proxying C2 traffic both through internal hosts and directly to external servers, and use of encrypted C2 configuration. The email server was observed beaconing to C2 infrastructure (e.g., 192.169.7[.]197 and 5.134.119[.]142) served via VPS providers and domains such as centos-packages[.]com / redhat-packages[.]com; those domains/IPs later showed linkage to ScarCruft-associated infrastructure (e.g., 160.202.79[.]226 and dallynk[.]com) used for RokRAT-style delivery.
Forensic indicators include multiple MD5/SHA1 samples (listed above), domain and IP mappings, and the distinctive dll.mui configuration naming pattern. The timeline shows infrastructure activation in late 2021, active beaconing through May 2022 (paused/terminated quickly after discovery), and subsequent reuse of domain names/IPs in ScarCruft campaigns—highlighting quick operator reaction and the need to correlate indicators with active timeframes for accurate attribution.