The notorious North Korean state-backed cybercriminal group, Lazarus (also known as APT 38), is targeting energy companies in the US, Canada and Japan using the Log4j vulnerability to breach VMware Horizon servers.
Threat intelligence company Cisco Talos says the cybercriminals group targeted certain energy providers in the three countries between February and July 2022. Lazarus used the Log4j vulnerability — reported last year — to gain access to the servers and deployed Vsingle, Yamabot malware, alongside a new entrant — dubbed MagicRat — to establish a seamless connection.
The research published by Cisco Talos on Thursday states that the MagicRat malware attributed to Lazarus is a remote access trojan used for reconnaissance and stealing credentials.
Vsingle is used to execute arbitrary code from remote networks and can be used to download plugins. According to the researchers, Lazarus has been using it for reconnaissance, manual backdooring and exfiltration. The other one, Yamabot, is a Golang-based malware that uses HTTP requests to communicate with command-and-control servers.
“The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property,” said Cisco Talos.
In June this year, the Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGCYBER) warned people using VMware Horizon and Unified Access Gateway that these products are being actively exploited using the Log4Shell vulnerability.
The state-sponsored cybercriminals group has been active for more than a decade and is responsible for some of the biggest hacks as well as most damaging malware strains out there, including the Wannacry ransomware. Earlier this year, in May, researchers also found a new strain attributed to Lazarus. The group cryptojacked more than half a billion dollars in 2018 after gaining access to multiple crypto exchanges and followed that by looting ATMs in Asia and Africa. They are also allegedly behind the Sony hacks of 2014, Bangaladesh bank heist from 2016. Another similar cryptojacking incident fetched them north of $400 million in 2021 and the Ronin bridge breach from earlier this year also got them around the same sum.
In the News: Classified NATO documents surface on the darkweb