Larazrus Group, the North Korean threat actor group, targeted a malicious campaign towards energy providers around the world between February and July 2022.
In April and May, the campaign was partially disclosed by Symantec and AhnLab, respectively. Cisco Talos is providing more details now.
In an advisory written on Thursday, Cisco Talos said that the Lazarus campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain initial access to targeted organisation.
The advisory stated: “The initial vector was the exploitation of the Log4j vulnerability on exposed VMware Horizon servers. Successful post–exploitation led to the download of their toolkit from web servers.”
“In most instances, the attackers instrumented the reverse shell to create their own user accounts on the endpoints they had initial access to.”
The security researchers said that they discovered the use of two unknown malware families, YamaBot and VSingle, alongside the deployment of a recently disclosed implant they called ‘MagicRAT.’
“Once the backdoors and implants were persisted and activated on the endpoint, the reverse shell used to perform cleanup[…], this included deleting all files in the infection folder along with the termination of the PowerShell tasks.”.
“The attacker–created accounts were removed and finally, the Windows Event logs […] would be purged.”
Organisations targeted, according to Cisco Talos, were from countries including Canada, Japan and the US.
Additionally, the write up reads: “The campaign is meant to infiltrate organizations around the world for establishing long–term access and subsequently exfiltrating data of interest to the adversary’s nation–state.”
This advisory is the latest in a long list describing the Lazarus Group’s activity over summer.
In June, it was reported that the threat actor may be behind the $100m theft from cryptocurrency firm Harmony.