Lazarus, also known as Hidden Cobra or Zinc, is a known nation-state cyberespionage threat actor originating from North Korea, according to the U.S. government. The threat actor has been active since 2009 and has often switched targets through time, probably according to nation-state interests.
Between 2020 and 2021, Lazarus compromised defense companies in more than a dozen countries including the U.S. It also targeted selected entities to assist strategic sectors such as aerospace and military equipment.
The threat actor is now aiming at energy providers, according to a new report from Cisco Talos.
SEE: Mobile device security policy (TechRepublic Premium)
Attack modus operandi
Lazarus often uses very similar techniques from one attack to the other, as exposed by Talos (Figure A).
Figure A
In the campaign reported by Talos, the initial vector of infection is the exploitation of the Log4j vulnerability on internet-facing VMware Horizon servers.
Once the targeted system is compromised, Lazarus downloads its toolkit from a web server it controls.
Talos has witnessed three variants of the attack. Each variant consists of another malware deployment. Lazarus could use only VSingle, VSingle and MagicRAT, or a new malware dubbed YamaBot.
Variations in the attack also imply using other tools such as mimikatz for credential harvesting, proxy tools to set up SOCKs proxies, or reverse tunneling tools such as Plink.
Lazarus also checks for installed antivirus on endpoints and disables Windows Defender antivirus.
The attackers also copy parts of Windows Registry Hives, for offline analysis and possible exploitation of credentials and policy information, and gather information from the Active Directory before creating their own high-privileged users. These users would be removed once the attack is fully in place, in addition to removing temporary tools and cleaning Windows Event logs.
At this point, the attackers then take their time to explore the systems, listing multiple folders and putting those of particular interest, mostly proprietary intellectual property, into a RAR archive file for exfiltration. The exfiltration is done via one of the malware used in the attack.
SEE: Protect your business from cybercrime with this dark web monitoring service (TechRepublic Academy)
Exclusive malware developed by Lazarus
Lazarus is a state-sponsored cyberespionage threat actor that has the capability to develop and distribute its own malware families. Lazarus has created several malware, which it uses for its operations. Three different malware are used in the current attack campaign exposed by Talos, dubbed VSingle, YamaBot and MagicRAT.
VSingle
VSingle is a persistent backdoor used by the threat actor to run different activities, such as reconnaissance, exfiltration and manual backdooring. It is a basic stager, enabling attackers to deploy more malware or to open a reverse shell that connects to a C2 server controlled by the attackers, which allows them to execute commands via cmd.exe.
Using VSingle, Lazarus typically runs commands on infected computers to collect information about the system and its network. All this information is mandatory for lateral movement activities, in which attackers can plant more malware on other systems or find information to exfiltrate later.
Lazarus has also used VSingle to force the system to cache users credentials, so it is possible to collect them afterward. The threat actor has also used it to get administrator privileges on users added to the system. This way, if the malware is fully removed, attackers still might access the network via Remote Desktop Protocol (RDP).
Lazarus makes use of two additional software when using VSingle: a utility called Plink, which enables the creation of encrypted tunnels between systems via the Secure Shell (SSH) protocol, and another tool named 3proxy, a small proxy server available publicly.
MagicRAT
MagicRAT is the newest malware developed by the Lazarus team, according to Talos. It is a persistent malware developed in C++ programming language. Interestingly, it uses the Qt framework, which is a programming library used for graphical interfaces. Since the RAT has no graphical interface, it is believed the use of the Qt framework is to increase the complexity of the malware analysis.
Once running, the malware provides its C2 server with basic information about the system and its environment. It also provides the attacker with a remote shell and a few other features such as an automatic deletion of the malware or a sleep function to try to avoid being detected.
In some Lazarus group attacks, MagicRAT has deployed the VSingle malware.
YamaBot
During one particular attack, Lazarus group deployed YamaBot after several attempts to deploy the VSingle malware. YamaBot is written in the Go programming language, and just like its peers, it starts by collecting basic information about the system.
YamaBot provides the capability to browse through folders and list files, download and execute files or arbitrary commands on the infected computer, or send back information about processes running on the machine.
Energy companies at risk
While Talos does not disclose much about the actual targets of this attack campaign, the researchers mention that “Lazarus was primarily targeting energy companies in Canada, the U.S. and Japan. The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”
How to protect from the Lazarus cyberespionage threat
Lazarus group makes heavy use of common vulnerabilities to compromise companies. In the current operation, it leveraged the Log4j vulnerability in order to gain an initial foothold on networks. Therefore, it is strongly advised to keep operating systems and all software up to date and patched to avoid such vulnerability exploitation.
It is also advised to monitor all connections to RDP or VPN services coming from outside of the company, since attackers sometimes impersonate employees by using their credentials to log in the system. For this reason, it is also advised to deploy multi-factor authentication (MFA), so an attacker cannot simply use valid credentials to log in systems.
Finally, security solutions need to be deployed and customized in order to detect malware and potential misuse of legitimate tools such as Plink.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.