"North Korean Lazarus Hackers Targeting Energy Providers Around the World"

The North Korean-linked Lazarus Group is running a malicious campaign against energy providers worldwide, including those in the US, Canada, and Japan. According to Cisco Talos, the campaign's goal is to infiltrate organizations in order to gain long-term access and then exfiltrate data of interest to the adversary's nation-state. Some aspects of the espionage attacks have already become public due to earlier reports from Broadcom-owned Symantec and AhnLab in April and May. Symantec attributed the operation to Stonefly, a Lazarus subgroup also known as Andariel, Guardian of Peace, Operation Troy, and Silent Chollima. While previous attacks resulted in the instrumentation of Preft, also known as Dtrack, and NukeSped mplants, the latest attack wave is notable for the use of two additional pieces of malware, which are VSingle, an HTTP bot that executes arbitrary code from a remote network, and YamaBot, a Golang backdoor. MagicRAT, a new Remote Access Trojan (RAT) with the ability to evade detection and launch additional payloads on infected systems, is also used in the campaign. Exploiting vulnerabilities in VMware products (e.g., Log4Shell) facilitates initial access into enterprise networks, with the ultimate goal of establishing persistent access to perform activities supporting North Korean government objectives. This article continues to discuss the Lazarus Group targeting energy providers. 

THN reports "North Korean Lazarus Hackers Targeting Energy Providers Around the World"