The Lazarus Group dropped a MagicRAT to spy on energy suppliers • The Register

According to Cisco Talos, the North Korean state-sponsored criminal network Lazarus Group is behind a new cyber espionage campaign with the aim of stealing data and trade secrets from energy suppliers in the United States, in Canada and Japan.

The Lazarus Group is perhaps best known for the infamous WannaCry attacks and a ton of cryptocurrency theft. Now he is going after struggling energy markets run by his enemies.

In a study published today, Talos threat researchers claim to have observed malicious activity attributed to the Lazarus group between February and July. Reconnaissance and espionage campaigns targeted “multiple victims,” researchers Jung soo An, Asheer Malhotra and Vitor Ventura wrote.

All intrusions start with Kim Jong-un’s cyber minions exploiting Log4j vulnerabilities in VMware Horizon, we are told. After penetrating energy company networks, criminals deploy one or more of three custom malware implants.

The first two, VSingle and YamaBot, were assigned to Lazarus by the Japanese Computer Emergency Response Team (CERT).

VSingle runs arbitrary code from a remote network and can download and run plugins. In this campaign, Lazarus Group used the bespoke malware for various nefarious purposes, including reconnaissance, exfiltration and manual backdooring, according to Talos.

YamaBot, on the other hand, is a bespoke implant written in Golang that communicates with command and control servers using HTTP requests.

The third implant is a previously unknown Remote Access Trojan (RAT) discovered by Talos, named “MagicRAT” and attributed to the Lazarus Group.

“Although it is a relatively simple RAT in terms of capabilities, it was built using the Qt Framework, with the sole purpose of making it more difficult for human analysis and automated detection by machine learning. and the less probable heuristic,” the Talos researchers wrote in a blog post. released earlier this week.

Threat hunters also suggest that once deployed on victim machines, MagicRAT launches additional payloads, including custom port scanners.

After deploying the implants, North Korean spies perform all sorts of malicious acts to bolster the Kim regime, according to Talos’ research. This includes broader reconnaissance efforts as well as lateral moves through energy company networks, theft of employee credentials, and data exfiltration.

The fact that this campaign targets energy suppliers is particularly troubling as energy costs soar due to the war in Ukraine, reaching crisis status in Europe. But then again, Pyongyang has never been shy about exploiting a global catastrophe – or a software vulnerability – for financial gain.

In July, Uncle Sam offered a $10 million reward for information on members of state-sponsored North Korean threat groups, including Lazarus, double the amount announced by the US State Department in April.

Also in April, federal authorities attributed the $620 million Axie Infinity heist to the North Korean group Lazarus and pinpointed the gang’s wallet address.

And a few months later, investigators from a blockchain analytics firm linked the $100 million Harmony crypto theft to Kim Jong-un’s cyber goons.

Kim’s #goals

These cyberattacks on cryptocurrency exchanges and financial institutions help fund North Korea’s nuclear and ballistic missile programs and support the country’s three main claimed goals: to cause disruption, conduct cyber espionage, and fundraise. .

And this latest campaign against energy companies is also part of these larger goals.

“The primary purpose of these attacks was likely to establish long-term access to victim networks to conduct espionage operations in support of North Korean government objectives,” An, Malhotra and Ventura wrote. “This activity aligns with historic Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”

It’s also similar to the Maui ransomware campaign used against US healthcare organizations earlier this year that Kaspersky later attributed to Andariel, a North Korean state-sponsored threat with ties to the notorious Lazarus group.

The “critical difference” between the two, according to Talos, is malware. “While Kaspersky discovered the use of Dtrack and Maui, we observed the use of VSingle, YamaBot and MagicRAT,” the analysts noted. ®

Comments are closed.