Security Experts:

Connect with us

Hi, what are you looking for?



North Korea’s Lazarus Targets Energy Firms With Three RATs

For roughly six months, the North Korean Lazarus hacking group has been targeting energy companies in Canada, the US, and Japan with three remote access trojans (RATs), Cisco reports.

For roughly six months, the North Korean Lazarus hacking group has been targeting energy companies in Canada, the US, and Japan with three remote access trojans (RATs), Cisco reports.

Active since at least 2009, also referred to as Hidden Cobra, and believed to be backed by the North Korean government, Lazarus has orchestrated various high-profile attacks, including the Ronin $600 million cryptocurrency heist and the $100 million hack of Harmony’s Horizon Bridge.

As part of some of the most recent campaigns, the group has been targeting various entities, such as defense and governmental organizations and companies in the chemical sector, with fake job offerings.

In July, the United States announced that it is offering rewards of up to $10 million for information on the individuals associated with Lazarus.

Between February and July 2022, Lazarus was seen primarily focusing energy companies in Canada, the U.S. and Japan, seeking to establish long-term access to victim networks in order to conduct cyberespionage operations, Cisco says.

While investigating the activity, which aligns with historical Lazarus attacks against critical infrastructure and energy sectors, security researchers with Cisco’s Talos group identified three different RATs, including a new, previously undisclosed trojan.

The advanced persistent threat (APT) actor targeted the Log4j vulnerability on exposed VMware Horizon servers for initial access, and then deployed a toolkit that included the VSingle, YamaBot, and MagicRAT backdoors.

Cisco’s Talos researchers observed three different Lazarus attacks characterized by the same tools, techniques and procedures (TTPs) and says that linking them together increases confidence that Lazarus was behind the campaign.

For the first victim, the attackers deployed the VSingle implant to perform reconnaissance, exfiltration and manual backdooring. A simple RAT, VSingle functions as a stager, allowing the APT to deploy additional payloads, and can also open a reverse shell to the attacker-controlled command and control (C&C) server.

As part of the attack on the second known victim, Lazarus used VSingle to deploy MagicRAT, a new backdoor that provides the attackers with a remote shell to execute arbitrary commands. The malware also has file manipulation capabilities, and can request and fetch from the C&C an executable disguised as a GIF file.

Lazarus attempted to deploy VSingle on the network of the third victim as well, but replaced it with YamaBot after several failed attempts. The Go-based backdoor uses HTTP for communication, can list files, download files, execute commands, send process information to the C&C, and uninstall itself.

As part of these attacks, Lazarus was also seen attempting to harvest credentials by exfiltrating copies of files containing Active Directory data. The APT used credential harvesting tools such as Mimikatz and Procdump, but also utilized proxy tools and reverse tunneling tools, Cisco says.

The threat actor was also seen creating rogue user accounts, gathering information on antivirus software to disable it, performing extensive reconnaissance, cleaning up after deploying backdoors, and deploying commonly used tools by other hacking groups.

Related: North Korean Hackers Use Fake Job Offers to Deliver New macOS Malware

Related: North Korean Hackers Abuse Windows Update in Attacks on Defense Industry

Related: North Korean Hackers Stole $400 Million Worth of Cryptocurrency in 2021

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...