A destructive marketing campaign performed by the North Korean menace actor Lazarus Group specific power providers about the environment concerning February and July 2022.
The marketing campaign was previously partly disclosed by Symantec and AhnLab in April and May possibly, respectively, but Cisco Talos is now providing much more particulars about it.
Composing in an advisory on Thursday, the security researchers stated the Lazarus marketing campaign involved the exploitation of vulnerabilities in VMWare Horizon to get original access to specific organizations.
“The initial vector was the exploitation of the Log4j vulnerability on uncovered VMware Horizon servers. Successful post–exploitation led to the down load of their toolkit from web servers,” the crew wrote.
“In most situations, the attackers instrumented the reverse shell to build their very own person accounts on the endpoints they experienced first accessibility to.”
In conditions of the tools employed in these assaults, Cisco Talos claimed they learned the use of two identified malware families, VSingle and YamaBot, along with the deployment of a just lately disclosed implant they identified as ‘MagicRAT.’
“Once the backdoors and implants had been persisted and activated on the endpoint, the reverse shell utilized to accomplish cleanup[…], this incorporated deleting all files in the infection folder alongside with the termination of the PowerShell jobs,” explained Cisco Talos.
“The attacker–created accounts were eradicated and finally, the Windows Function logs […] would be purged.”
In accordance to Cisco Talos, corporations qualified in the recent Lazarus attacks provided power vendors from distinctive international locations, which include the US, Canada and Japan.
“The campaign is intended to infiltrate companies around the environment for creating long–term accessibility and subsequently exfiltrating information of desire to the adversary’s nation–state,” reads the complex write–up.
The new Cisco Talos advisory is only the most recent in a extensive listing describing the Lazarus Group’s hacking functions in excess of the summertime.
In June, blockchain analytics company Elliptic proposed the menace actor may be behind the $100m theft from cryptocurrency agency Harmony. Far more lately, The Block connected the team to Axie Infinity’s $600m hack.
Some parts of this article are sourced from:
www.infosecurity-magazine.com