Daily Tech News, Interviews, Reviews and Updates

Lazarus Hackers are targeting every country’s Energy providers

North Korea has returned to the cybersecurity news due to its ties to the Lazarus Group and yet another successful cyber-robbery.
Targets of this attack include international energy suppliers with offices in the US, Canada, and Japan.

The campaign “is meant to infiltrate businesses around the world for obtaining long-term access and then exfiltrating documents of relevance to the adversary’s nation-state,” according to a report provided with The Hacker News by Cisco Talos.

Certain details of the espionage attempts became public after earlier reports from Broadcom-owned Symantec and AhnLab in April and May of this year.

The operation was linked by Symantec to the Stonefly group, a Lazarus subgroup also known as Andariel, Guardian of Peace, Operation Troy, and Silent Chollima.

Perfect (also known as Dtrack) and NukeSped (also known as Manuscrypt) implants were previously instrumented as a result of these attacks, but the most recent wave of attacks is notable for using two additional pieces of malware: VSingle, an HTTP bot that runs arbitrary code from a remote network, and YamaBot, a Golang backdoor.
Also put to use in the operation is a new remote access trojan named MagicRAT that comes with ability to elude detection and deploy additional payloads on the compromised devices.

In order to gain initial access to corporate networks and eventually gain persistent access to carry out operations supporting North Korean government objectives, vulnerabilities in VMware products (such as Log4Shell) are exploited.
The use of VSingle in one attack chain is thought to have enabled the threat actor to do a number of tasks, including manual backdooring, exfiltration, and reconnaissance. This gave the operators a thorough grasp of the target environment.

The organization uses a variety of methods in addition to custom malware, including as credential harvesting with tools like Mimikatz and Procdump, antivirus software disabling, reconnaissance of the Active Directory services, and even erasing their footprints after activating endpoint backdoors.

Get real time updates directly on you device, subscribe now.



You might also like