The North Korean state-sponsored APT Lazarus Group has been identified as conducting a new malicious campaign that exploits vulnerabilities in VMware Horizon to gain access to organisations in the energy sector.
As observed and detailed by Cisco Talos Intelligence, the attackers have targeted energy providers from the US and elsewhere around the world, including Canada and Japan.
The group’s aim is to use VMware’s vulnerabilities to infiltrate these companies and establish long-term access, before moving laterally across the enterprises to exfiltrate data of interest back to North Korea.
Once the initial foothold is established, the attackers deploy the group’s custom malware implants VSingle and YamaBot, as well as a previously unknown implant that Talos has named “MagicRAT”.
“The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives,” Cisco Talos said in a blog post.
“This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”
The cybersecurity firm said the initial attack vector was the exploitation of the Log4j vulnerability on exposed VMware servers, which led to the download of their toolkit from web servers.
This, along with several other aspects, matched similar attacks performed and observed in other attacks earlier this year. The IP address used as a hosting platform for the malicious tools was also found to be an overlap.
“Although the same tactics have been applied in both attacks, the resulting malware implants deployed have been distinct from one another, indicating the wide variety of implants available at the disposal of Lazarus,” Talos added.
MagicRAT
In a follow-up post, Cisco Talo detailed the freshly-discovered Remote Access Trojan (RAT) it has dubbed “MagicRAT”, which it believes with “moderate to high confidence” was deployed by Lazarus as part of these attacks on energy companies.
Described as “relatively simple” in terms of capability, the RAT was programmed in C++ and built with recourse to the Qt framework, with the sole aim of making human analysis harder and automated detection less likely, Talos said.
Escape the ransomware maze
Conventional endpoint protection tools just aren’t the best defence anymore
Evidence was also found to suggest that, once MagicRAT is deployed on infected systems, it then launches additional payloads such as custom-built port scanners, the firm added. The RAT’s C2 infrastructure was also used to host newer variants of known Lazarus implants such as TigerRAT.
“The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organisations worldwide,” Cisco Talos said.
