The North Korean state-sponsored crime ring Lazarus Group is behind a new cyberespionage campaign with the goal to steal data and trade secrets from energy providers across the US, Canada and Japan, according to Cisco Talos.
The attacks aimed at infiltrating organizations around the world for maintaining long-term access and exfiltrate data from the victims.
The attack chain observed by the experts starts with the exploitation of vulnerabilities (i.e. Log4j vulnerability) in VMWare products to achieve initial footholds into enterprise networks. Once obtained access to the network, threat actors deployed custom implants tracked.
Details of this espionage campaign were first revealed by Symantec in April this year, which attributed the operation to “Stonefly,” another North Korean hacking group that has some overlaps with Lazarus.
However, Cisco Talos also observed a previously unknown remote access trojan — or RAT — named “MagicRAT,” attributed to Lazarus Group, which the hackers use for reconnaissance and stealing credentials.
“The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives,” wrote Talos researchers.
It’s also similar to the Maui ransomware campaign used against US health-care organizations earlier this year that Kaspersky later attributed to Andariel, a North Korean state-sponsored threat with links to the notorious Lazarus Group.