A malicious campaign mounted by the North Korea-linked Lazarus Group targets energy providers worldwide, including those based in the United States, Canada, and Japan.
The campaign is meant to infiltrate organizations worldwide to establish long-term access and subsequently exfiltrate data of interest to the adversary's nation-state, according to investigators. Some elements of the espionage attacks have already been reported in the media.
See: https://redskyalliance.org/xindustry/lazarus-group-is-back-with-more-malware
Symantec attributed the operation to a group referred to as Stonefly, a Lazarus subgroup better known as Andariel, Guardian of Peace, OperationTroy, and Silent Chollima. While these attacks previously led to the instrumentation of Preft (aka Dtrack) and NukeSped (aka Manuscript) implants, the latest attack wave is notable for employing two other pieces of malware: VSingle, an HTTP bot that executes arbitrary code from a remote network, and a Golang backdoor called YamaBot. Also used in the campaign is a new remote access trojan called MagicRAT with capabilities to evade detection and launch additional payloads on the infected systems. Although the same tactics have been applied in both attacks, the resulting malware implants deployed have been distinct from one another, indicating the wide variety of implants available at the disposal of Lazarus, according to researchers.[1]
A C++-based implant, MagicRAT is designed to achieve persistence by creating scheduled tasks on the compromised system. It is also “rather simple” in that it provides the attacker with a remote shell to execute arbitrary commands and carry out file operations. MagicRAT can also launch additional payloads retrieved from a remote server on infected hosts. One of the executables retrieved from the command-and-control (C2) server takes the form of a GIF image file but in reality, is a lightweight port scanner. The C2 infrastructure associated with MagicRAT has been found harboring and serving newer versions of TigerRAT, a backdoor formerly attributed to Andariel, and is engineered to execute commands, take screenshots, log keystrokes, and harvest system information.
Also included in the latest variant is a USB Dump feature that allows the adversary to hunt for files with specific extensions, alongside laying the groundwork for implementing video capture from webcams. The discovery of MagicRAT in the wild indicates Lazarus’ motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide,” the researchers said.
Initial access into enterprise networks is facilitated using exploitation of vulnerabilities in VMware products (e.g., Log4Shell), with the ultimate goal of establishing persistent access to activities supporting North Korean government objectives. The use of VSingle in one attack chain is said to have enabled the threat actor to carry out various activities such as reconnaissance, exfiltration, and manual back-dooring, giving the operators a solid understanding of the victim environment.
Other tactics embraced by the group besides the use of such malware include credential harvesting via tools like Mimikatz and Procdump, disabling antivirus components, reconnaissance of the Active Directory services, and even taking steps to clean up their traces after activating the back-doors on the endpoint.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://thehackernews.com/2022/09/north-korean-lazarus-hackers-targeting.html
Comments