Lazarus Group unleashed a MagicRAT to spy on energy providers

The North Korean state-sponsored crime ring Lazarus Group is behind a new cyberespionage campaign with the goal to steal data and trade secrets from energy providers across the US, Canada and Japan, according to Cisco Talos.

The Lazarus Group is perhaps best known for the infamous WannaCry attacks and a ton of cryptocurrency theft. Now it's going after the troubled energy markets run by its foes. 

In research published today, Talos threat researchers say they observed malicious activity attributed to Lazarus Group between February and July. The reconnaissance and spy campaigns targeted "multiple victims," researchers Jung soo An, Asheer Malhotra and Vitor Ventura wrote. 

All of the intrusions begin with Kim Jong-un's cyber henchmen exploiting Log4j vulnerabilities in VMware Horizon, we're told. After they've breached the energy firms' networks, the miscreants deploy one or more of three custom malware implants. 

The first two, VSingle and YamaBot, have been attributed to Lazarus by Japan's computer emergency response team (CERT).

VSingle executes arbitrary code from a remote network and can download and execute plugins. In this campaign, Lazarus Group used the bespoke malware for a variety of nefarious purposes – including reconnaissance, exfiltration and manual backdooring, according to Talos.

YamaBot, meanwhile, is a custom-made implant written in Golang that communicates with command-and-control servers using HTTP requests.

The third implant is a previously unknown remote access trojan (RAT) that Talos discovered, named "MagicRAT," and attributed to Lazarus Group. 

"While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely," Talos' researchers wrote in a blog published earlier this week. 

The threat hunters also suggest that, once deployed on victims' machines, MagicRAT launches additional payloads including custom-built port scanners.

• US puts $10 million bounty on North Korean cyber-crews
• Crypto sleuths pin $100 million Harmony theft on Lazarus Group
• Here today, gone to Maui: That's your data captured by North Korean ransomware
• FBI warns of North Korean cyberspies posing as foreign IT workers

After deploying the implants, the North Korean spies perform all manner of malicious deeds to bolster Kim's regime, according to the Talos research. This includes more general recon efforts as well as moving laterally through the energy companies' networks, stealing employees' credentials and exfiltrating data.

The fact that this campaign targets energy providers is especially troubling as energy costs skyrocket due to the war in Ukraine, reaching crisis status in Europe. But then, again, Pyongyang has never shied away from exploiting a global catastrophe — or a software vulnerability — for financial gain.

In July, Uncle Sam offered a $10 million reward for information on members of state-sponsored North Korean threat groups including Lazarus, double the amount that the US State Department announced back in April.

Also in April, the Feds attributed the $620 million Axie Infinity heist to North Korea's Lazarus Group, and fingered the gang's getaway wallet address. 

And a few months later, investigators at a blockchain analysis outfit linked the $100 million Harmony crypto theft to Kim Jong-un's cyber goons.

Kim's #goals

These cyberattacks on cryptocurrency exchanges and financial institutions help fund North Korea's nuclear and ballistic missile programs and support the country's claimed three top objectives: causing disruption, conducting cyberespionage, and raising money.

And this latest campaign against energy firms fits into these larger objectives, too.

"The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives," An, Malhotra and Ventura wrote. "This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property."

It's also similar to the Maui ransomware campaign used against US health-care organizations earlier this year that Kaspersky later attributed to Andariel, a North Korean state-sponsored threat with links to the notorious Lazarus Group.

The "critical difference" between the two, according to Talos, is the malware. "While Kaspersky discovered the use of Dtrack and Maui, we've observed the use of VSingle, YamaBot and MagicRAT," the analysts noted. ®