Lazarus Campaigns and RATs

Industry: Energy | Level: Tactical | Source: Cisco Talos

Cisco Talos continues to expand its research on the North Korean threat actor group, Lazarus. Revealing the groups most recent campaigns against energy providers in the United States, Canada, and Japan. As well as their expanding toolset with various remote access trojans (RAT) and custom malware. The research shared from Cisco Talos focuses on Lazarus activity between February 2022 and July 2022. The objective of the campaign has been assessed to facilitate cyber espionage, "The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property." Lazarus obtained initial access against targeted organizations by exploiting log4j on vulnerable VMWare products. Lazarus operator's post-compromise activities include execution of PowerShell scripts, system reconnaissance, disabling Windows Defender, credential harvesting with Mimikatz, procdump, and credentials in the registry, and downloading custom malware to further infections and objectives. Lazarus's arsenal is vast with new custom malware such as MagicRat, VSingle, YamaBot, and TigerRAT. Various persistence techniques are leveraged from the group, including creating new registry key entries, new accounts, and scheduled tasks. Long-term access ensures the group is able to support North Korean objectives with intelligence collection.

Anvilogic Scenarios:

• Lazarus: Attack w. Script, Recon, Def Evasion and Custom Malware
• Malicious Exe Leads to Recon, Data Collection & Remote Process

Anvilogic Use Cases:

• Potential CVE-2021-44228 - Log4Shell
• ProcDump Credential Harvest
• Clear Windows Event Logs

‍