Security News > 2022 > September > North Korean Lazarus Hackers Targeting Energy Providers Around the World

A malicious campaign mounted by the North Korea-linked Lazarus Group is targeting energy providers around the world, including those based in the United States, Canada, and Japan.

"The campaign is meant to infiltrate organizations around the world for establishing long-term access and subsequently exfiltrating data of interest to the adversary's nation-state," Cisco Talos said in a report shared with The Hacker News.

Some elements of the espionage attacks have already entered public domain, courtesy of prior reports from Broadcom-owned Symantec and AhnLab earlier this April and May. Symantec attributed the operation to a group referred to as Stonefly, a Lazarus subgroup which is better known as Andariel, Guardian of Peace, OperationTroy, and Silent Chollima.

While these attacks previously led to the instrumentation of Preft and NukeSped implants, the latest attack wave is notable for employing two other pieces of malware: VSingle, an HTTP bot which executes arbitrary code from a remote network, and a Golang backdoor called YamaBot.

"Although the same tactics have been applied in both attacks, the resulting malware implants deployed have been distinct from one another, indicating the wide variety of implants available at the disposal of Lazarus," researchers Jung soo An, Asheer Malhotra, and Vitor Ventura said.

Initial access into enterprise networks is facilitated by means of exploitation of vulnerabilities in VMware products, with the ultimate goal of establishing persistent access to perform activities in support of North Korean government objectives.

News URL

https://thehackernews.com/2022/09/north-korean-lazarus-hackers-targeting.html