North Korea-linked hackers target US energy sector by exploiting VMware Horizon

N. Korean flag with code
(Image credit: Shutterstock)

The North Korean state-sponsored APT Lazarus Group has been identified as conducting a new malicious campaign that exploits vulnerabilities in VMware Horizon to gain access to organisations in the energy sector.

As observed and detailed by Cisco Talos Intelligence, the attackers have targeted energy providers from the US and elsewhere around the world, including Canada and Japan.

The group’s aim is to use VMware’s vulnerabilities to infiltrate these companies and establish long-term access, before moving laterally across the enterprises to exfiltrate data of interest back to North Korea.

Once the initial foothold is established, the attackers deploy the group’s custom malware implants VSingle and YamaBot, as well as a previously unknown implant that Talos has named “MagicRAT”.

“The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives,” Cisco Talos said in a blog post.

“This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”

The cybersecurity firm said the initial attack vector was the exploitation of the Log4j vulnerability on exposed VMware servers, which led to the download of their toolkit from web servers.

This, along with several other aspects, matched similar attacks performed and observed in other attacks earlier this year. The IP address used as a hosting platform for the malicious tools was also found to be an overlap.

“Although the same tactics have been applied in both attacks, the resulting malware implants deployed have been distinct from one another, indicating the wide variety of implants available at the disposal of Lazarus,” Talos added.


In a follow-up post, Cisco Talo detailed the freshly-discovered Remote Access Trojan (RAT) it has dubbed “MagicRAT”, which it believes with “moderate to high confidence” was deployed by Lazarus as part of these attacks on energy companies.

Described as “relatively simple” in terms of capability, the RAT was programmed in C++ and built with recourse to the Qt framework, with the sole aim of making human analysis harder and automated detection less likely, Talos said.


Escape the ransomware maze

Conventional endpoint protection tools just aren’t the best defence anymore


Evidence was also found to suggest that, once MagicRAT is deployed on infected systems, it then launches additional payloads such as custom-built port scanners, the firm added. The RAT’s C2 infrastructure was also used to host newer variants of known Lazarus implants such as TigerRAT.

“The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organisations worldwide,” Cisco Talos said.

Daniel Todd

Dan is a freelance writer and regular contributor to ChannelPro, covering the latest news stories across the IT, technology, and channel landscapes. Topics regularly cover cloud technologies, cyber security, software and operating system guides, and the latest mergers and acquisitions.

A journalism graduate from Leeds Beckett University, he combines a passion for the written word with a keen interest in the latest technology and its influence in an increasingly connected world.

He started writing for ChannelPro back in 2016, focusing on a mixture of news and technology guides, before becoming a regular contributor to ITPro. Elsewhere, he has previously written news and features across a range of other topics, including sport, music, and general news.