Updated on 2022-09-27
In its latest campaign, the Lazarus APT group was observed leveraging unsolicited job opportunities to drop malware on macOS. These fake ads are part of its Operation In(ter)caption campaign. Read more: North Korea’s Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs
Updated on 2022-09-23: Lazarus BYOVD attacks
AhnLab researchers have published an extensive report on BYOVD (Bring Your Own Vulnerable Driver) attacks employed by the Lazarus North Korean APT. The company notes that while these attacks have been seen since 2014, Lazarus is the first APT to have designed an elaborate rootkit that takes advantage of BYOVD techniques to elevate privileges and compromise all major Windows versions from the old Windows 7 up to the most recent OS version, Windows Server 2022. Read more: Analysis Report on Lazarus Group’s Rootkit Attack Using BYOVD
Updated on 2022-09-22: New Lazarus attack
In the meantime, Chinese security researcher Hao Zhixiang said this week that he detected a new phishing campaign linked to the Lazarus group that has targeted virtual currency company Maitixport. IOCs in the Twitter thread below:
1）The North Korean Lazarus APT organization attacked the virtual currency company Maitixport. The link sent by the attacker was actually a malicious pdf file. Fake the content of the company's CEO's salary increase@cyberwar_15 @malwrhunterteam @ShadowChasing1 @abuse_ch pic.twitter.com/zR9eCzfaaG
— zhixiang hao (@HaoZhixiang) September 21, 2022
The North Korean state-sponsored hacking group known as Lazarus has launched a campaign to steal sensitive information from computer networks of energy providers in the US, Canada, and Japan. Researchers from Cisco Talos say the hackers are exploiting Log4j vulnerabilities in VMware Horizon servers to access the targeted networks.
- What is new is that a new implant “MagicRAT” is being deployed three days before the deployment of their previously known VSingle malware. The entry point remains vulnerable services, such as unpatched VMWare Horizon servers vulnerable to Log4Shell, which have, in this case, patches for the flaw. Yes, it’s a bummer getting downtime to patch these services, but it’s far better than the dust-up if you’re compromised. Yes, your internal network is safer than Internet exposed services, and it’s too risky to assume hackers can’t penetrate your perimeter. Core capabilities in the Lazarus toolkit include disabling endpoint protection and other mitigations you’ve deployed to detect and prevent compromise.
Updated on 2022-09-15: Lazarus APT deploying three trojans in attacks against users in North America
Description: Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold in targeted organizations. Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan. The campaign is meant to infiltrate organizations around the world for establishing long-term access and subsequently exfiltrating data of interest to the adversary’s nation-state. Talos has discovered the use of two known families of malware in these intrusions — VSingle and YamaBot. Talos has also discovered the use of a recently disclosed implant we’re calling “MagicRAT” in this campaign.
Read more in
- Lazarus and the tale of three RATs
- MagicRAT: Lazarus’ latest gateway into victim networks
- Lazarus Group unleashed a MagicRAT to spy on energy providers
- North Korean Lazarus hackers take aim at U.S. energy providers
The US has recovered $30 million stolen from Axie Infinity by North Korea’s Lazarus group. Leveraging blockchain analysis expertise by Chainanalasis and the FBI, law enforcement groups were able to seize funds after cashout (not from the blockchain itself). This is yet another reminder that the blockchain doesn’t just leave crumbs—it’s a crumb-leaving technology—and criminals are often vulnerable at the cashout step. Read more: US recovers $30 million stolen from Axie Infinity by Lazarus hackers
Overview: Lazarus Group starts using new MagicRAT in attacks targeting vulnerable VMware Horizon platforms
Cisco Talos discovered a new remote access trojan (RAT) named “MagicRAT” that Talos attributed with moderate to high confidence to the Lazarus threat actor, a state-sponsored APT attributed to North Korea by the U.S. Cyber Security & Infrastructure Agency (CISA). This new RAT was found on victims that had been initially compromised through the exploitation of publicly exposed VMware Horizon platforms. While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely. Talos also found evidence to suggest that once MagicRAT is deployed on infected systems, it launches additional payloads such as custom-built port scanners. Additionally, we’ve found that MagicRAT’s C2 infrastructure was also used to host newer variants of known Lazarus implants such as TigerRAT. The discovery of MagicRAT in the wild is an indication of Lazarus’ motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide.
Read more in