Lazarus and the tale of three RATs
Contents
- Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government.
- This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.
- Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan.
- The campaign is meant to infiltrate organizations around the world for establishing long term access and subsequently exfiltrating data of interest to the adversary's nation-state.
- Talos has discovered the use of two known families of malware in these intrusions — VSingle and YamaBot.
- Talos has also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign.
Cisco Talos observed North Korean state-sponsored APT Lazarus Group conducting malicious activity between February and July 2022. Lazarus has been previously attributed to the North Korean government by the U.S. …
- This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.
- Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan.
- The campaign is meant to infiltrate organizations around the world for establishing long term access and subsequently exfiltrating data of interest to the adversary's nation-state.
- Talos has discovered the use of two known families of malware in these intrusions — VSingle and YamaBot.
- Talos has also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign.
Cisco Talos observed North Korean state-sponsored APT Lazarus Group conducting malicious activity between February and July 2022. Lazarus has been previously attributed to the North Korean government by the U.S. …
IoC
05732E84DE58A3CC142535431B3AA04EFBE034CC96E837F93C360A6387D8FAAD
104.155.149.103
109.248.150.13
146.4.21.94
155.94.210.11
16F413862EFDA3ABA631D8A7AE2BFFF6D84ACD9F454A7ADAA518C7A8A6F375A5
185.29.8.162
192.186.183.133
213.180.180.154
213.32.46.0
2963a90eb9e499258a67d8231a3124021b42e6c70dacd3aab36746e51e3ce37e
2AA1BBBE47F04627A8EA4E8718AD21F0D50ADF6A32BA4E6133EE46CE2CD13780
40.121.90.194
46.183.221.109
54.68.42.4
586F30907C3849C363145BFDCDABE3E2E4688CBD5688FF968E984B201B474730
5A73FDD0C4D0DEEA80FA13121503B477597761D82CF2CFB0E9D8DF469357E3F8
6FBB771CD168B5D076525805D010AE0CD73B39AB1F4E6693148FE18B8F73090B
84.38.133.145
8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5
90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4
912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9
C92C158D7C37FEA795114FA6491FE5F145AD2F8C08776B18AE79DB811E8E36A3
CAF6739D50366E18C855E2206A86F64DA90EC1CDF3E309AEB18AC22C6E28DC65
c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f
dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469
http://104.155.149.103
http://109.248.150.13
http://146.4.21.94
http://155.94.210.11
http://185.29.8.162
http://192.186.183.133
http://213.180.180.154
http://40.121.90.194
http://46.183.221.109
http://54.68.42.4
http://84.38.133.145
http://104.155.149.103/2-443.ps1
http://104.155.149.103/8080.ps1
http://104.155.149.103/mi.tmp
http://104.155.149.103/mi64.tmp
http://104.155.149.103/mm.rar
http://104.155.149.103/pd64.tmp
http://104.155.149.103/rar.tmp
http://104.155.149.103/spr.tmp
http://104.155.149.103/t.tmp
http://104.155.149.103/update.tmp
http://109.248.150.13:8080/1
http://146.4.21.94/tmp/data_preview/virtual.php
http://155.94.210.11/news/page.php
http://185.29.8.162:443/1.tmp
http://192.186.183.133/bbs/board.php
http://213.180.180.154/editor/session/aaa000/support.php
http://213.32.46.0/board.php
http://40.121.90.194/11.jpg
http://40.121.90.194/300dr.cert
http://40.121.90.194/Rar.jpg
http://40.121.90.194/b.cert
http://40.121.90.194/qq.cert
http://40.121.90.194/ra.cert
http://40.121.90.194/tt.rar
http://46.183.221.109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/huntertroy.exe
http://46.183.221.109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/svhostw.exe
http://54.68.42.4/mainboard.php
http://84.38.133.145/apollom/jeus.php
http://84.38.133.145/board.html
http://84.38.133.145/header.xml
http://cyancow.com/find
http://mudeungsan.or.kr/gbbs/bbs/template/g_botton.php
http://www.ajoa.org/home/manager/template/calendar.php
http://www.ajoa.org/home/rar.tmp
http://www.ajoa.org/home/tmp.ps1
http://www.ajoa.org/home/ztt.tmp
http://www.easyview.kr/board/Kheader.php
http://www.easyview.kr/board/mb_admin.php
http://www.orvi00.com/ez/admin/shop/powerline.tmp
https://semiconductboard.com/xml
https://tecnojournals.com/review
104.155.149.103
109.248.150.13
146.4.21.94
155.94.210.11
16F413862EFDA3ABA631D8A7AE2BFFF6D84ACD9F454A7ADAA518C7A8A6F375A5
185.29.8.162
192.186.183.133
213.180.180.154
213.32.46.0
2963a90eb9e499258a67d8231a3124021b42e6c70dacd3aab36746e51e3ce37e
2AA1BBBE47F04627A8EA4E8718AD21F0D50ADF6A32BA4E6133EE46CE2CD13780
40.121.90.194
46.183.221.109
54.68.42.4
586F30907C3849C363145BFDCDABE3E2E4688CBD5688FF968E984B201B474730
5A73FDD0C4D0DEEA80FA13121503B477597761D82CF2CFB0E9D8DF469357E3F8
6FBB771CD168B5D076525805D010AE0CD73B39AB1F4E6693148FE18B8F73090B
84.38.133.145
8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5
90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4
912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9
C92C158D7C37FEA795114FA6491FE5F145AD2F8C08776B18AE79DB811E8E36A3
CAF6739D50366E18C855E2206A86F64DA90EC1CDF3E309AEB18AC22C6E28DC65
c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f
dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469
http://104.155.149.103
http://109.248.150.13
http://146.4.21.94
http://155.94.210.11
http://185.29.8.162
http://192.186.183.133
http://213.180.180.154
http://40.121.90.194
http://46.183.221.109
http://54.68.42.4
http://84.38.133.145
http://104.155.149.103/2-443.ps1
http://104.155.149.103/8080.ps1
http://104.155.149.103/mi.tmp
http://104.155.149.103/mi64.tmp
http://104.155.149.103/mm.rar
http://104.155.149.103/pd64.tmp
http://104.155.149.103/rar.tmp
http://104.155.149.103/spr.tmp
http://104.155.149.103/t.tmp
http://104.155.149.103/update.tmp
http://109.248.150.13:8080/1
http://146.4.21.94/tmp/data_preview/virtual.php
http://155.94.210.11/news/page.php
http://185.29.8.162:443/1.tmp
http://192.186.183.133/bbs/board.php
http://213.180.180.154/editor/session/aaa000/support.php
http://213.32.46.0/board.php
http://40.121.90.194/11.jpg
http://40.121.90.194/300dr.cert
http://40.121.90.194/Rar.jpg
http://40.121.90.194/b.cert
http://40.121.90.194/qq.cert
http://40.121.90.194/ra.cert
http://40.121.90.194/tt.rar
http://46.183.221.109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/huntertroy.exe
http://46.183.221.109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/svhostw.exe
http://54.68.42.4/mainboard.php
http://84.38.133.145/apollom/jeus.php
http://84.38.133.145/board.html
http://84.38.133.145/header.xml
http://cyancow.com/find
http://mudeungsan.or.kr/gbbs/bbs/template/g_botton.php
http://www.ajoa.org/home/manager/template/calendar.php
http://www.ajoa.org/home/rar.tmp
http://www.ajoa.org/home/tmp.ps1
http://www.ajoa.org/home/ztt.tmp
http://www.easyview.kr/board/Kheader.php
http://www.easyview.kr/board/mb_admin.php
http://www.orvi00.com/ez/admin/shop/powerline.tmp
https://semiconductboard.com/xml
https://tecnojournals.com/review