Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



North Korea’s Lazarus Targets Energy Firms With Three RATs

For roughly six months, the North Korean Lazarus hacking group has been targeting energy companies in Canada, the US, and Japan with three remote access trojans (RATs), Cisco reports.

For roughly six months, the North Korean Lazarus hacking group has been targeting energy companies in Canada, the US, and Japan with three remote access trojans (RATs), Cisco reports.

Active since at least 2009, also referred to as Hidden Cobra, and believed to be backed by the North Korean government, Lazarus has orchestrated various high-profile attacks, including the Ronin $600 million cryptocurrency heist and the $100 million hack of Harmony’s Horizon Bridge.

As part of some of the most recent campaigns, the group has been targeting various entities, such as defense and governmental organizations and companies in the chemical sector, with fake job offerings.

In July, the United States announced that it is offering rewards of up to $10 million for information on the individuals associated with Lazarus.

Between February and July 2022, Lazarus was seen primarily focusing energy companies in Canada, the U.S. and Japan, seeking to establish long-term access to victim networks in order to conduct cyberespionage operations, Cisco says.

While investigating the activity, which aligns with historical Lazarus attacks against critical infrastructure and energy sectors, security researchers with Cisco’s Talos group identified three different RATs, including a new, previously undisclosed trojan.

The advanced persistent threat (APT) actor targeted the Log4j vulnerability on exposed VMware Horizon servers for initial access, and then deployed a toolkit that included the VSingle, YamaBot, and MagicRAT backdoors.

Cisco’s Talos researchers observed three different Lazarus attacks characterized by the same tools, techniques and procedures (TTPs) and says that linking them together increases confidence that Lazarus was behind the campaign.

Advertisement. Scroll to continue reading.

For the first victim, the attackers deployed the VSingle implant to perform reconnaissance, exfiltration and manual backdooring. A simple RAT, VSingle functions as a stager, allowing the APT to deploy additional payloads, and can also open a reverse shell to the attacker-controlled command and control (C&C) server.

As part of the attack on the second known victim, Lazarus used VSingle to deploy MagicRAT, a new backdoor that provides the attackers with a remote shell to execute arbitrary commands. The malware also has file manipulation capabilities, and can request and fetch from the C&C an executable disguised as a GIF file.

Lazarus attempted to deploy VSingle on the network of the third victim as well, but replaced it with YamaBot after several failed attempts. The Go-based backdoor uses HTTP for communication, can list files, download files, execute commands, send process information to the C&C, and uninstall itself.

As part of these attacks, Lazarus was also seen attempting to harvest credentials by exfiltrating copies of files containing Active Directory data. The APT used credential harvesting tools such as Mimikatz and Procdump, but also utilized proxy tools and reverse tunneling tools, Cisco says.

The threat actor was also seen creating rogue user accounts, gathering information on antivirus software to disable it, performing extensive reconnaissance, cleaning up after deploying backdoors, and deploying commonly used tools by other hacking groups.

Related: North Korean Hackers Use Fake Job Offers to Deliver New macOS Malware

Related: North Korean Hackers Abuse Windows Update in Attacks on Defense Industry

Related: North Korean Hackers Stole $400 Million Worth of Cryptocurrency in 2021

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights