North Korean APT Group Attacking Corporate Networks of Energy Providers

Lazarus (APT38), the North Korean APT group is attacking the corporate networks of energy providers by exploiting the VMWare Horizon servers.

While the corporate networks of energy providers that were attacked by the group are based in the following countries:-

  • The United States
  • Canada
  • Japan

In the past few years, Lazarus has been known for a number of operations that are conducted, and it’s a state-sponsored threat group. 

Internationally, hundreds of sophisticated attacks have been carried out by the threat actors of this group. Here below we have mentioned the prime operations conducted by the Lazarus group:-

  • Espionage
  • Data theft
  • Cryptocurrency stealing campaigns 

Custom Malware Families Used

As part of their ongoing threat detection efforts, Cisco Talos security analysts have uncovered the current operation. A series of VMware Horizon exploits were used for the initial access into the energy organizations under Lazarus between February and July 2022.

In order to determine the infected devices and even to steal data from them, the operators of the group have used custom malware families such as the following:-

  • VSingle
  • YamaBot
  • MagicRAT

Attack Flow

In order to reveal Lazarus’ TTPs and demonstrate their versatility, Cisco Talos presents a number of attack strategies used by Lazarus.

It is important to note that in the first scenario, the vulnerable VMWare servers were exploited by the threat actors. While they mainly targeted servers that are vulnerable to Log4Shell. 

The attack is designed to execute shellcode on the compromised endpoint that creates a reverse shell through which arbitrary commands can be executed on it.

Before deploying VSingle Lazarus deactivates Windows Defender with the help of the following components:-

  • Registry key modification
  • WMIC
  • PowerShell commands

While this is possible due to the fact that VMWare Horizon runs with high privileges. Here the VSingle is a backdoor that offers several sophisticated features like:-

  • Commands for advanced network reconnaissance are supported.
  • Creates an environment conducive to credential theft.
  • The creation of new admin users on the host is performed.
  • Obtains plugins that enhance the functionality of the C2 by establishing a reverse shell connection.

The access and reconnaissance procedures in the second scenario follow a pattern similar to the first scenario. VSingle and MagicRAT are two of the other malware that has been dropped by hackers this time around.

The hacking group, Lazarus deploys YamaBot in the third scenario. It is a custom malware written in the Go programming language.

There are several standard RAT capabilities that YamaBot offers, such as:-

  • List files and directories.
  • Send process information to C2.
  • Download files from remote locations.
  • Execute arbitrary commands on the endpoints.
  • Uninstall itself.

Mimikatz and Procudumps were two tools that were used by hackers in some cases. It has also been reported that in some cases, copies of registry hives including AD credentials were exfiltrated.

Download Free SWG – Secure Web Filtering – E-book

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.