While the corporate networks of energy providers that were attacked by the group are based in the following countries:-
- The United States
In the past few years, Lazarus has been known for a number of operations that are conducted, and it’s a state-sponsored threat group.
Internationally, hundreds of sophisticated attacks have been carried out by the threat actors of this group. Here below we have mentioned the prime operations conducted by the Lazarus group:-
Before deploying VSingle Lazarus deactivates Windows Defender with the help of the following components:-
- Registry key modification
- PowerShell commands
While this is possible due to the fact that VMWare Horizon runs with high privileges. Here the VSingle is a backdoor that offers several sophisticated features like:-
- Commands for advanced network reconnaissance are supported.
- Creates an environment conducive to credential theft.
- The creation of new admin users on the host is performed.
- Obtains plugins that enhance the functionality of the C2 by establishing a reverse shell connection.
The access and reconnaissance procedures in the second scenario follow a pattern similar to the first scenario. VSingle and MagicRAT are two of the other malware that has been dropped by hackers this time around.
The hacking group, Lazarus deploys YamaBot in the third scenario. It is a custom malware written in the Go programming language.
There are several standard RAT capabilities that YamaBot offers, such as:-
- List files and directories.
- Send process information to C2.
- Download files from remote locations.
- Execute arbitrary commands on the endpoints.
- Uninstall itself.
Mimikatz and Procudumps were two tools that were used by hackers in some cases. It has also been reported that in some cases, copies of registry hives including AD credentials were exfiltrated.