A malicious campaign conducted by the North Korean threat actor Lazarus Group targeted energy providers around the world between February and July 2022. The campaign was previously partially disclosed by Symantec and AhnLab in April and May, respectively, but Cisco Talos is now providing more details about it. Writing in an advisory on Thursday, the security researchers said the Lazarus campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain initial access to targeted organizations. “The initial vector was the exploitation of the Log4j vulnerability on exposed VMware Horizon servers. Successful post–exploitation led to the download of their toolkit from web servers,” the team wrote. “In most instances, the attackers instrumented the reverse shell to create their own user accounts on the endpoints they had initial access to.” In terms of the tools used in these attacks, Cisco Talos said they discovered the use of two known malware families, VSingle and YamaBot, alongside the deployment of a recently disclosed implant they called ‘MagicRAT.’ “Once the backdoors and implants were persisted and activated on the endpoint, the reverse shell used to perform cleanup[…], this included deleting all files in the infection folder along with the termination of the PowerShell tasks,” explained Cisco Talos.
Full report : North Korean Lazarus Group Hacked Energy Providers Worldwide.