Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

North Korea’s Lazarus Targets Energy Firms With Three RATs

For roughly six months, the North Korean Lazarus hacking group has been targeting energy companies in Canada, the US, and Japan with three remote access trojans (RATs), Cisco reports.

For roughly six months, the North Korean Lazarus hacking group has been targeting energy companies in Canada, the US, and Japan with three remote access trojans (RATs), Cisco reports.

Active since at least 2009, also referred to as Hidden Cobra, and believed to be backed by the North Korean government, Lazarus has orchestrated various high-profile attacks, including the Ronin $600 million cryptocurrency heist and the $100 million hack of Harmony’s Horizon Bridge.

As part of some of the most recent campaigns, the group has been targeting various entities, such as defense and governmental organizations and companies in the chemical sector, with fake job offerings.

In July, the United States announced that it is offering rewards of up to $10 million for information on the individuals associated with Lazarus.

Between February and July 2022, Lazarus was seen primarily focusing energy companies in Canada, the U.S. and Japan, seeking to establish long-term access to victim networks in order to conduct cyberespionage operations, Cisco says.

While investigating the activity, which aligns with historical Lazarus attacks against critical infrastructure and energy sectors, security researchers with Cisco’s Talos group identified three different RATs, including a new, previously undisclosed trojan.

The advanced persistent threat (APT) actor targeted the Log4j vulnerability on exposed VMware Horizon servers for initial access, and then deployed a toolkit that included the VSingle, YamaBot, and MagicRAT backdoors.

Cisco’s Talos researchers observed three different Lazarus attacks characterized by the same tools, techniques and procedures (TTPs) and says that linking them together increases confidence that Lazarus was behind the campaign.

Advertisement. Scroll to continue reading.

For the first victim, the attackers deployed the VSingle implant to perform reconnaissance, exfiltration and manual backdooring. A simple RAT, VSingle functions as a stager, allowing the APT to deploy additional payloads, and can also open a reverse shell to the attacker-controlled command and control (C&C) server.

As part of the attack on the second known victim, Lazarus used VSingle to deploy MagicRAT, a new backdoor that provides the attackers with a remote shell to execute arbitrary commands. The malware also has file manipulation capabilities, and can request and fetch from the C&C an executable disguised as a GIF file.

Lazarus attempted to deploy VSingle on the network of the third victim as well, but replaced it with YamaBot after several failed attempts. The Go-based backdoor uses HTTP for communication, can list files, download files, execute commands, send process information to the C&C, and uninstall itself.

As part of these attacks, Lazarus was also seen attempting to harvest credentials by exfiltrating copies of files containing Active Directory data. The APT used credential harvesting tools such as Mimikatz and Procdump, but also utilized proxy tools and reverse tunneling tools, Cisco says.

The threat actor was also seen creating rogue user accounts, gathering information on antivirus software to disable it, performing extensive reconnaissance, cleaning up after deploying backdoors, and deploying commonly used tools by other hacking groups.

Related: North Korean Hackers Use Fake Job Offers to Deliver New macOS Malware

Related: North Korean Hackers Abuse Windows Update in Attacks on Defense Industry

Related: North Korean Hackers Stole $400 Million Worth of Cryptocurrency in 2021

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.