Image: Adobe Stock

Lazarus, also known as Hidden Cobra or Zinc, is a known nation-state cyber espionage actor from North Korea, according to the US government. The threat actor has been active since 2009 and has often shifted targets over time, likely based on nation-state interests.

Between 2020 and 2021, Lazarus compromised defense companies in more than a dozen countries, including the United States. It has also targeted selected entities to help strategic sectors such as aerospace and military equipment.

The threat actor is now targeting energy providers, according to a new report from Cisco Talos.

SEE: Mobile Device Security Policy (TechRepublic Premium)

Attack modus operandi

Lazarus often uses very similar techniques from attack to attack, as exhibited by Talos (Figure A).

Figure A

cyber kill lazarus channel list according to cisco talos
Image: Cisco Talos. Complete attack pattern of Lazarus’ current operation.

In the campaign reported by Talos, the primary infection vector is the exploitation of the Log4j vulnerability on Internet-connected VMware Horizon servers.

Once the targeted system is compromised, Lazarus downloads its toolkit from a web server it controls.

Talos witnessed three variants of the attack. Each variant consists of a different malware deployment. Lazarus could only use VSingle, VSingle and MagicRAT, or new malware called YamaBot.

Variations of the attack also involve the use of other tools such as mimikatz for credential harvesting, proxy tools to set up SOCK proxies, or reverse tunneling tools such as Plink.

Lazarus also checks for antivirus installed on endpoints and disables Windows Defender Antivirus.

Attackers also copy parts of Windows Registry Hives, for offline scanning and possible exploitation of credentials and policy information, and harvest information from Active Directory before creating their own high-privileged users. . These users would be removed once the attack is fully in place, in addition to removing temporary tools and cleaning up Windows event logs.

At this point, the attackers then take their time exploring the systems, listing several folders and placing those of particular interest, mostly proprietary IP, into a RAR archive file for exfiltration. The exfiltration is done via one of the malware used in the attack.

SEE: Protect your business from cybercrime with this dark web monitoring service (TechRepublic Academy)

Proprietary malware developed by Lazarus

Lazarus is a state-sponsored cyber espionage actor with the ability to develop and distribute its own malware families. Lazarus has created several malware, which it uses for its operations. Three different pieces of malware are used in the current attack campaign exposed by Talos, dubbed VSingle, YamaBot, and MagicRAT.


VSingle is a persistent backdoor used by the threat actor to perform different activities, such as reconnaissance, exfiltration, and manual backdoor. This is a basic stager, allowing attackers to deploy more malware or open a reverse shell that connects to a C2 server controlled by attackers, allowing them to execute commands via cmd .exe.

Using VSingle, Lazarus typically runs commands on infected computers to collect information about the system and its network. All of this information is mandatory for lateral movement activities, where attackers can plant more malware on other systems or find information to exfiltrate later.

Lazarus also used VSingle to force the system to cache user credentials, so it is possible to collect them later. The threat actor also used it to gain administrator privileges over users added to the system. This way, if the malware is fully removed, attackers can still access the network via Remote Desktop Protocol (RDP).

Lazarus uses two additional software when using VSingle: a utility called Plink, which allows the creation of encrypted tunnels between systems via the Secure Shell (SSH) protocol, and another tool called 3proxy, a small publicly available proxy server .


MagicRAT is the latest malware developed by the Lazarus team, according to Talos. It is a persistent malware developed in C++ programming language. Interestingly, it uses the Qt framework, which is a programming library used for GUIs. Since the RAT does not have a GUI, it is believed that using the Qt framework is to increase the complexity of malware analysis.

Once executed, the malware provides its C2 server with basic information about the system and its environment. It also provides the attacker with a remote shell and a few other features such as automatic malware removal or a sleep function to try to avoid detection.

In some attacks by the Lazarus group, MagicRAT deployed the VSingle malware.


In one particular attack, the Lazarus group deployed YamaBot after several attempts to deploy the VSingle malware. YamaBot is written in the Go programming language, and just like its peers, it starts by collecting basic system information.

YamaBot provides the ability to browse folders and list files, download and execute arbitrary files or commands on the infected computer, or return information about processes running on the machine.

Energy companies in danger

Although Talos does not disclose much about the actual targets of this attack campaign, the researchers mention that “Lazarus primarily targeted energy companies in Canada, the United States, and Japan. The primary purpose of these attacks was likely to establish long-term access to victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historic Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.

How to protect against the Lazarus cyber espionage threat

The Lazarus group makes extensive use of common vulnerabilities to compromise businesses. In the current operation, he exploited the Log4j vulnerability in order to gain a first foothold on the networks. Therefore, it is strongly advised to keep operating systems and all software updated and patched to avoid exploitation of such vulnerabilities.

It is also advisable to monitor all connections to RDP or VPN services from outside the company, as attackers sometimes impersonate employees by using their credentials to log into the system. For this reason, it is also advisable to deploy multi-factor authentication (MFA), so that an attacker cannot simply use valid credentials to log into systems.

Finally, security solutions should be deployed and customized to detect malware and potential misuse of legitimate tools such as Plink.

Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.

About The Author

Related Posts