On Thursday, threat intelligence company Cisco Talos reported that Lazarus (also known as APT38) is targeting critical infrastructure and energy companies in the United States, Canada, and Japan. The attacks occurred between February and July this year, according to Cisco Talos.
Lazarus—or APT38—is a North Korean state-sponsored hacking group. They are best known for the Sony hack in 2016 and the WannaCry ransomware attack in 2017. In recent times, they have diversified into targeting cryptocurrency and blockchain companies.
Lazarus has stolen over $100 million in crypto assets from Harmony’s Horizon Bridge, and a massive $625 million in cryptocurrency from the Ronin Network. These funds are then used to fund North Korea’s military and nuclear weapons program.
The hackers used a year-old vulnerability in Log4j known as Log4Shell to comprise VMware Horizon servers to gain entry into the victim’s networks. The hackers then deploy malware known as “YamaBot” and “VSingle” to establish a persistent connection to the target network.
Cisco Talos also observed a new remote access trojan named “MagicRAT” which the Lazarus group use for reconnaissance and stealing credentials.
“The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives,” wrote Talos researchers Jung soo An, Asheer Malhotra and Vitor Ventura. “This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”
