Energy Providers Targeted by Lazarus Group

February July Dec., 2022 Larazrus Group, a North Korean threat manager group, is targeting a malicious campaign against energy providers around the world between February and July 2022. May April and May, the campaign was partially announced by Symantec and AhnLab, respectively. Cisco Talos is now giving more details. In a letter of recommendation written on Thursday, Cisco Talos said the Lazarus campaign used vulnerabilities in VMware Horizon to gain initial access to the targeted organization. The original goal was to exploit the Log4j vulnerability in VMware Horizon’s open servers. A successful follow-up study led to the downloading of toolkits from web servers. “In most cases, attackers initially used a backshell to create their own user accounts on the endpoints they accessed.” Security researchers have said that in October, in addition to the deployment of a newly discovered implant, which they called MagicRAT, they discovered the use of two unknown malware families, YamaBot and Vsingle.’ “After the back doors and implants were continued and activated at the final point, the back shell was used to perform the cleaning […This included the deletion of all files in the infection folder with the completion of PowerShell tasks.” “The accounts created by the attacker have been deleted and finally the Windows event logs will be deleted… it was deleted,” he said.

Back to list