Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

North Korea’s Lazarus Targets Energy Firms With Three RATs

For roughly six months, the North Korean Lazarus hacking group has been targeting energy companies in Canada, the US, and Japan with three remote access trojans (RATs), Cisco reports.

For roughly six months, the North Korean Lazarus hacking group has been targeting energy companies in Canada, the US, and Japan with three remote access trojans (RATs), Cisco reports.

Active since at least 2009, also referred to as Hidden Cobra, and believed to be backed by the North Korean government, Lazarus has orchestrated various high-profile attacks, including the Ronin $600 million cryptocurrency heist and the $100 million hack of Harmony’s Horizon Bridge.

As part of some of the most recent campaigns, the group has been targeting various entities, such as defense and governmental organizations and companies in the chemical sector, with fake job offerings.

In July, the United States announced that it is offering rewards of up to $10 million for information on the individuals associated with Lazarus.

Between February and July 2022, Lazarus was seen primarily focusing energy companies in Canada, the U.S. and Japan, seeking to establish long-term access to victim networks in order to conduct cyberespionage operations, Cisco says.

While investigating the activity, which aligns with historical Lazarus attacks against critical infrastructure and energy sectors, security researchers with Cisco’s Talos group identified three different RATs, including a new, previously undisclosed trojan.

The advanced persistent threat (APT) actor targeted the Log4j vulnerability on exposed VMware Horizon servers for initial access, and then deployed a toolkit that included the VSingle, YamaBot, and MagicRAT backdoors.

Cisco’s Talos researchers observed three different Lazarus attacks characterized by the same tools, techniques and procedures (TTPs) and says that linking them together increases confidence that Lazarus was behind the campaign.

For the first victim, the attackers deployed the VSingle implant to perform reconnaissance, exfiltration and manual backdooring. A simple RAT, VSingle functions as a stager, allowing the APT to deploy additional payloads, and can also open a reverse shell to the attacker-controlled command and control (C&C) server.

As part of the attack on the second known victim, Lazarus used VSingle to deploy MagicRAT, a new backdoor that provides the attackers with a remote shell to execute arbitrary commands. The malware also has file manipulation capabilities, and can request and fetch from the C&C an executable disguised as a GIF file.

Lazarus attempted to deploy VSingle on the network of the third victim as well, but replaced it with YamaBot after several failed attempts. The Go-based backdoor uses HTTP for communication, can list files, download files, execute commands, send process information to the C&C, and uninstall itself.

As part of these attacks, Lazarus was also seen attempting to harvest credentials by exfiltrating copies of files containing Active Directory data. The APT used credential harvesting tools such as Mimikatz and Procdump, but also utilized proxy tools and reverse tunneling tools, Cisco says.

The threat actor was also seen creating rogue user accounts, gathering information on antivirus software to disable it, performing extensive reconnaissance, cleaning up after deploying backdoors, and deploying commonly used tools by other hacking groups.

Related: North Korean Hackers Use Fake Job Offers to Deliver New macOS Malware

Related: North Korean Hackers Abuse Windows Update in Attacks on Defense Industry

Related: North Korean Hackers Stole $400 Million Worth of Cryptocurrency in 2021

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Nation-State

FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona