For roughly six months, the North Korean Lazarus hacking group has been targeting energy companies in Canada, the US, and Japan with three remote access trojans (RATs), Cisco reports.
Active since at least 2009, also referred to as Hidden Cobra, and believed to be backed by the North Korean government, Lazarus has orchestrated various high-profile attacks, including the Ronin $600 million cryptocurrency heist and the $100 million hack of Harmony’s Horizon Bridge.
As part of some of the most recent campaigns, the group has been targeting various entities, such as defense and governmental organizations and companies in the chemical sector, with fake job offerings.
In July, the United States announced that it is offering rewards of up to $10 million for information on the individuals associated with Lazarus.
Between February and July 2022, Lazarus was seen primarily focusing energy companies in Canada, the U.S. and Japan, seeking to establish long-term access to victim networks in order to conduct cyberespionage operations, Cisco says.
While investigating the activity, which aligns with historical Lazarus attacks against critical infrastructure and energy sectors, security researchers with Cisco’s Talos group identified three different RATs, including a new, previously undisclosed trojan.
The advanced persistent threat (APT) actor targeted the Log4j vulnerability on exposed VMware Horizon servers for initial access, and then deployed a toolkit that included the VSingle, YamaBot, and MagicRAT backdoors.
Cisco’s Talos researchers observed three different Lazarus attacks characterized by the same tools, techniques and procedures (TTPs) and says that linking them together increases confidence that Lazarus was behind the campaign.
For the first victim, the attackers deployed the VSingle implant to perform reconnaissance, exfiltration and manual backdooring. A simple RAT, VSingle functions as a stager, allowing the APT to deploy additional payloads, and can also open a reverse shell to the attacker-controlled command and control (C&C) server.
As part of the attack on the second known victim, Lazarus used VSingle to deploy MagicRAT, a new backdoor that provides the attackers with a remote shell to execute arbitrary commands. The malware also has file manipulation capabilities, and can request and fetch from the C&C an executable disguised as a GIF file.
Lazarus attempted to deploy VSingle on the network of the third victim as well, but replaced it with YamaBot after several failed attempts. The Go-based backdoor uses HTTP for communication, can list files, download files, execute commands, send process information to the C&C, and uninstall itself.
As part of these attacks, Lazarus was also seen attempting to harvest credentials by exfiltrating copies of files containing Active Directory data. The APT used credential harvesting tools such as Mimikatz and Procdump, but also utilized proxy tools and reverse tunneling tools, Cisco says.
The threat actor was also seen creating rogue user accounts, gathering information on antivirus software to disable it, performing extensive reconnaissance, cleaning up after deploying backdoors, and deploying commonly used tools by other hacking groups.