A malicious campaign mounted by the North Korea-linked Lazarus Group targeted energy providers around the world, including those based in the United States, Canada, and Japan, between February and July 2022.
“The campaign is meant to infiltrate organizations around the world for establishing long-term access and subsequently exfiltrating data of interest to the adversary’s nation-state,” Cisco Talos said in a report shared with The Hacker News.
Some elements of the espionage attacks have already entered public domain, courtesy of prior reports from Broadcom-owned Symantec and AhnLab earlier this April and May. Symantec attributed the operation to a group referred to as Stonefly, a Lazarus subgroup which is better known as Andariel, Guardian of Peace, OperationTroy, and Silent Chollima.
While these attacks previously led to the instrumentation of Preft (aka Dtrack) and NukeSped (aka Manuscrypt) implants, the latest attack wave is notable for employing two other pieces of malware: VSingle, an HTTP bot which executes arbitrary code from a remote network, and a Golang backdoor called YamaBot.
Also put to use in the campaign is a new remote access trojan called MagicRAT that comes with capabilities to evade detection and launch additional payloads on the infected systems.
“Although the same tactics have been applied in both attacks, the resulting malware implants deployed have been distinct from one another, indicating the wide variety of implants available at the disposal of Lazarus,” researchers Jung soo An, Asheer Malhotra, and Vitor Ventura said.
Initial access into enterprise networks is facilitated by means of exploitation of vulnerabilities in VMware products (e.g., Log4Shell) with the ultimate goal of establishing persistent access to perform activities in support of North Korean government objectives.
The use of VSingle in one attack chain is said to have enabled the threat actor to carry out a variety of activities such as reconnaissance, exfiltration, and manual backdooring, giving the operators a solid understanding of the victim environment.
Other tactics embraced by the group besides the use of bespoke malware include credential harvesting via tools like Mimikatz and Procdump, disabling antivirus components, and reconnaissance of the Active Directory services, and even taking steps to cleanup their traces after activating the backdoors on the endpoint.