Fri | Sep 9, 2022 | 3:47 PM PDT

The North Korean hacking group known as Lazarus has turned its attention to a new sector, targeting energy providers in the United States, Canada, and Japan in a campaign that lasted between February and July 2022.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) previously warned of the cyber gang targeting cryptocurrency and blockchain companies in April of this year. But, with the mounting global energy crisis, the North Korean state-sponsored Advanced Persistent Threat (APT) has decided to try to capitalize on the situation. 

A new report from Cisco Talos says it has observed the campaign exploiting vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.

Talos believes the campaign's goal is to "infiltrate organizations around the world for establishing long term access and subsequently exfiltrating data of interest to the adversary's nation-state."

The report discusses the group's tactics, techniques, and procedures (TTPs):

"The TTPs used in these attacks also point to the Lazarus threat actor. The initial vector was the exploitation of the Log4j vulnerability on exposed VMware Horizon servers. Successful post-exploitation led to the download of their toolkit from web servers. The same initial vector, URL patterns and similar subsequent hands-on-keyboard activity have been described in this report from AhnLab from earlier this year.

There are also overlapping IOCs between the campaign described by AhnLab and the current campaign, such as the IP address 84[.]38.133[.]145, which was used as a hosting platform for the actors' malicious tools.

Although the same tactics have been applied in both attacks, the resulting malware implants deployed have been distinct from one another, indicating the wide variety of implants available at the disposal of Lazarus.

Additionally, we've also observed similarities in TTPs disclosed by Kaspersky attributed to the Andariel sub-group under the Lazarus umbrella, with the critical difference being the deployment of distinct malware. While Kaspersky discovered the use of Dtrack and Maui, we've observed the use of VSingle, YamaBot and MagicRAT."

Talos was also able to identify three distinct RATs (remote access trojans) employed by Lazarus, including VSingle and YamaBot, which are exclusively developed and distributed by the cyber gang.

The first case in the report shows how the group exploited publicly known vulnerabilities to deploy the VSingle backdoor on infected endpoints to establish long-term access. The image below shows this process:

As well as the VSingle infection chain:

In the second case described in the report, which follows a similar pattern to the first, the threat actors used VSingle to deploy MagicRAT. MagicRAT is a new backdoor that provides the attackers with a remote shell to execute arbitrary commands.

In the third case, Lazarus deployed VSingle again, but it failed multiple times, so it was replaced with YamaBot. Yamabot is a Go-based custom malware that can list and download files, send process information to C2, execute commands, and uninstall itself.

Talos says that the overall structure of the attacks was the same across multiple instances, similar to the three cases laid out above. Though it does list three key variations that include the use of:

  • Credential harvesting using tools such as Mimikatz and Procdump
  • Proxy tools to set up SOCKs proxies
  • Reverse tunneling tools such as PuTTY's plink

Lazarus, a hacking group that has been active since 2010, has had a busy year and probably will not be slowing down anytime soon.

See the report from Cisco Talos, Lazarus and the tale of three RATs, for more information.