North Korean APT Group “Lazarus” (APT38) uses VMWare Horizon servers to access corporate networks of energy suppliers in the United States, Canada and Japan.
Lazarus is a state-backed threat actor known for his espionage, data theft and cryptocurrency campaigns over the past decade. Threat actors are responsible for hundreds of sophisticated attacks internationally.
According to Cisco Talos researchers, who uncovered the latest operation, Lazarus targeted energy organizations between February and July 2022, using public VMWare Horizon exploits for first access.
From there, they used custom malware families like “VSingle” and “YamaBot” and a previously unknown remote access trojan (RAT) called “MagicRAT” which is used to search and steal data from infected devices. Symantec threat hunters analyzed the same campaign in April and ASEC researchers in May. However, Cisco’s report goes deeper and reveals much more detail about the threat actor’s activities.
Multiple attack strategies
Cisco Talos showcases several attack strategies that illustrate the latest Lazarus techniques, tactics, and procedures (TTPs) and highlight the versatility of the sophisticated hacking group.
In the first case, attackers exploit VMWare servers, which are vulnerable to Log4Shell bugs, to run shellcode that sets up a reverse shell to execute arbitrary commands on the compromised terminal.
Since VMWare Horizon runs with elevated privileges, Lazarus can disable Windows Defender via registry key changes, WMIC commands, and PowerShell before VSingle deployment.
The VSingle backdoor supports advanced network reconnaissance commands, sets the stage for credential theft, creates new admin users on the host, and finally creates a reverse shell connection to the C2 to retrieve plugins which extend its functionality.
In the second case featured in the report involving a different victim, initial access and recognition follow similar patterns, but this time hackers abandoned MagicRAT with VSingle.
Talos published a separate MagicRAT article yesterday detailing all the features of this previously unknown Trojan.
MagicRAT can self-build persistence by running hard-coded commands that create necessary scheduled tasks, help with system recognition, and fetch additional malware from C2 like TigerRAT.
In the third case of intrusion, Lazarus implements YamaBot, a custom malware written in Go, with standard RAT features such as:
- List files and folders.
- Send the process information to C2.
- Download files from remote locations.
- Complete random commands on endpoints.
- remove themselves
- The Japanese CERT connected YamaBot to Lazarus in July 2022, highlighting its C2 encrypted communication capabilities. The diversification of Lazarus’ attack chain is not limited to the ultimate malware payloads, but extends to proxy or reverse tunneling tools and credential gathering techniques.
“In one case, attackers attempted to obtain Active Directory information on a single endpoint via PowerShell cmdlets. However, the next day, the attackers used adfind.exe to extract similar information on the same endpoint, ”Cisco Talos explains in the report.
The idea behind these variations is to confuse TTPs and make attribution, detection and defense more difficult for rescuers.
As highlighted in this report, Lazarus is closely monitored by cybersecurity companies, so they can’t afford to get lazy in diversifying their attack chains.
This diversification of attacks is illustrated by the wide range of attacks by hacker Lazarus, including their targeting of IT job seekers, creation of fake cryptocurrency trading apps, creation of trojan development tools, l use of ransomware as bait and the massive $ 620 million cryptocurrency theft from the Ronin Bridge.