A malicious campaign mounted by the North Korean-linked Lazarus Group targeted energy providers around the world, including those based in the United States, Canada and Japan, between February and July 2022.
“The campaign is intended to infiltrate organizations around the world to establish long-term access and then extract data of interest to the adversary’s nation-state,” Cisco Talos said in a report shared with The Hacker News.
Some elements of the spyware attacks have already entered the public domain, thanks to earlier reports from Symantec and Broadcom-owned AhnLab earlier this April and May. Symantec attributed the operation to a group referred to as Stonefly, a subset of Lazarus which is better known as Andariel, Peacekeeper, OperationTroy and Silent Chollima.
While these attacks previously led to the instrumentation of Preft (aka Dtrack) and NukeSped (aka Manuscrypt) implants, the latest attack wave is notable for using two other pieces of malware: VSingle, an HTTP bot that executes arbitrary code from a remote network. and a Golang backdoor called YamaBot.
Also deployed in the campaign is a new remote access trojan called MagicRAT that comes with the ability to evade detection and drop payloads on infected systems.
“Although the same tactics were applied in both attacks, the resulting malware implants deployed were distinct from each other, indicating the wide variety of available implants available to Lazarus,” said researcher Jung soo An, Asheer Malhotra and Vitor Ventura. .
Initial access to enterprise networks is facilitated by exploiting vulnerabilities in VMware products (eg Log4Shell) with the ultimate goal of establishing continued access to conduct activities in support of North Korean government objectives.
The use of VSingle in an attack chain is said to have enabled the threat actor to perform a variety of activities such as discovery, exfiltration and manual shutdown, giving operators a strong understanding of the victim’s environment.
Other tactics embraced by the group in addition to using custom malware include collecting credentials through tools like Mimikatz and Procdump, disabling antivirus components and detecting Active Directory services, and even taking steps to clean up their tracks after enabling back doors at the end point.
