Security researchers have linked a new cyber espionage campaign targeting U.S., Canadian and Japanese energy providers to the North Korean state-sponsored Lazarus hacking group.
Threat intelligence company Cisco Talos said Thursday that it has observed Lazarus — also known as APT38 — targeting unnamed energy providers in the United States, Canada and Japan between February and July this year. According to Cisco’s research, the hackers used a year-old vulnerability in Log4j, known as Log4Shell, to compromise internet-exposed VMware Horizon servers to establish an initial foothold onto a victim’s enterprise network, before deploying bespoke malware known as “VSingle” and “YamaBot” to establish long-term persistent access. YamaBot was recently attributed to the Lazarus APT by Japan’s national cyber emergency response team, known as CERT.
Details of this espionage campaign were first revealed by Symantec in April this year, which attributed the operation to “Stonefly,” another North Korean hacking group that has some overlaps with Lazarus.
However, Cisco Talos also observed a previously unknown remote access trojan — or RAT — named “MagicRAT,” attributed to Lazarus Group, which the hackers use for reconnaissance and stealing credentials.