IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

North Korea-linked hackers target US energy sector by exploiting VMware Horizon

Lazarus Group attackers used malware implants VSingle, YamaBot and the previously unknown MagicRAT, Cisco Talos found

The North Korean state-sponsored APT Lazarus Group has been identified as conducting a new malicious campaign that exploits vulnerabilities in VMware Horizon to gain access to organisations in the energy sector.

As observed and detailed by Cisco Talos Intelligence, the attackers have targeted energy providers from the US and elsewhere around the world, including Canada and Japan.

The group’s aim is to use VMware’s vulnerabilities to infiltrate these companies and establish long-term access, before moving laterally across the enterprises to exfiltrate data of interest back to North Korea.

Once the initial foothold is established, the attackers deploy the group’s custom malware implants VSingle and YamaBot, as well as a previously unknown implant that Talos has named “MagicRAT”.

“The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives,” Cisco Talos said in a blog post.

“This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”

The cybersecurity firm said the initial attack vector was the exploitation of the Log4j vulnerability on exposed VMware servers, which led to the download of their toolkit from web servers.

This, along with several other aspects, matched similar attacks performed and observed in other attacks earlier this year. The IP address used as a hosting platform for the malicious tools was also found to be an overlap.

“Although the same tactics have been applied in both attacks, the resulting malware implants deployed have been distinct from one another, indicating the wide variety of implants available at the disposal of Lazarus,” Talos added.

MagicRAT

In a follow-up post, Cisco Talo detailed the freshly-discovered Remote Access Trojan (RAT) it has dubbed “MagicRAT”, which it believes with “moderate to high confidence” was deployed by Lazarus as part of these attacks on energy companies.

Described as “relatively simple” in terms of capability, the RAT was programmed in C++ and built with recourse to the Qt framework, with the sole aim of making human analysis harder and automated detection less likely, Talos said.

Related Resource

Escape the ransomware maze

Conventional endpoint protection tools just aren’t the best defence anymore

Whitepaper cover with overhead image of a man sat at a deska with a computer in the centre of a maze in the shadowsFree Download

Evidence was also found to suggest that, once MagicRAT is deployed on infected systems, it then launches additional payloads such as custom-built port scanners, the firm added. The RAT’s C2 infrastructure was also used to host newer variants of known Lazarus implants such as TigerRAT.

“The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organisations worldwide,” Cisco Talos said.

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Recommended

Sophos appoints new SVP of sales for EMEA
cyber security

Sophos appoints new SVP of sales for EMEA

6 Dec 2022
Nick Read steps down as Vodafone CEO amidst rocky financials
Business operations

Nick Read steps down as Vodafone CEO amidst rocky financials

5 Dec 2022
UK updates NIS regulations bringing stricter rules for MSPs
IT regulation

UK updates NIS regulations bringing stricter rules for MSPs

2 Dec 2022
Ivanti makes double appointment in channel leadership shakeup
Business strategy

Ivanti makes double appointment in channel leadership shakeup

1 Dec 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
Larger monitors aren't all they're cracked up to be
monitors

Larger monitors aren't all they're cracked up to be

3 Dec 2022
Microsoft: Russia increasingly timing cyber attacks with missile strikes in Ukraine
cyber warfare

Microsoft: Russia increasingly timing cyber attacks with missile strikes in Ukraine

5 Dec 2022