The North Korean state-sponsored actor Lazarus Group has been compromising VMware Horizon servers by exploiting the Log4j flaw, in order to target energy companies in the U.S., Canada and Japan.
The attacks, observed between February and July, leveraged Log4Shell in order to gain an initial foothold in the victims’ networks before deploying several custom malware implants, including VSingle and YamaBot, both of which are exclusively developed and distributed by Lazarus, as well as a previously unknown malware called MagicRat.
“The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives,” said Jung soo An, Asheer Malhotra and Vitor Ventura, researchers with Cisco Talos, in a Thursday analysis. “This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”
Lazarus, which has been attributed to the North Korean government by the U.S. government, has been active since 2010. Its campaign motives have included espionage, data theft, financial gain and disruptive attacks. Outside of government, defense and critical infrastructure organizations the threat actor has also been targeting cryptocurrency investors, exchanges and blockchain organizations over the past year in order to install malware and steal funds and other data.
After gaining initial access via the Log4j flaw, the threat actor established a reverse shell to issue arbitrary commands, performed preliminary reconnaissance to obtain more network information and directory listings, and disabled protections such as Windows Defender components, before installing malware (of note, VMware Horizon is executed with administrator privileges, so the attacker did not need to elevate privileges).
The malware used in these campaigns included a known malware family developed by Lazarus called VSingle, which has reconnaissance, exfiltration, lateral movement and credential harvesting capabilities. Another incident used a different implant called YamaBot, which is a custom Golang-based malware family that was recently attributed to Lazarus by the Japanese CERT (JPCERT/CC). YamaBot has several standard RAT capabilities, including the abilities to list files and directories, send process information to the command-and-control (C2), download files from remote locations and execute arbitrary commands on the endpoints.
“The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide.”
Lazarus also expanded its offensive arsenal with a new malware called MagicRAT, which researchers said is relatively simple in terms of capabilities beyond the ability to launch additional payloads like custom-built port scanners.
However, MagicRAT has evolved over the last year to include new functionalities, with a new variant being discovered in April having the ability to delete itself from the infected endpoint using a BAT file, for instance.
In one unique feature, the RAT uses the Qt Framework, a programming library for developing graphical user interfaces. Because MagicRAT has no graphical user interfaces, researchers believe the intent here by its developers is to increase the complexity of the RAT’s code, making analysis more difficult. Once on the system, MagicRAT also will perform basic system reconnaissance, including identifying the system and environment in which the attackers are operating (via executing commands whoami, systeminfo and ipconfig /all).
“The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide,” said Cisco Talos researchers.
While pieces of this campaign were previously disclosed by security firms like Symantec, Talos researchers said their analysis on Thursday gives a fuller picture of the attackers’ TTPs.
“We have also observed an overlap of command and control (C2) and payload-hosting infrastructure between our findings and the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) June advisory that detailed continued attempts from threat actors to compromise vulnerable VMware Horizon servers,” said researchers.