Lately, the North Korean Lazarus APT group has been making the headlines. Its most recent activity includes using a new RAT, dubbed MagicRAT. This previously undocumented malware has been used against several victim networks.

Diving into details

  • Lazarus dropped MagicRAT after successfully abusing flaws in internet-facing VMware Horizon servers.
  • While the RAT is simple in its functionalities, it was built with recourse to the Qt Framework. This ensures that human analysis is more challenging. 
  • Moreover, MagicRAT’s C2 infrastructure had been used to host and serve newer strains of TigerRAT, another Lazarus implant.

Why this matters

The discovery of this new RAT in the wild is an indication of the group’s motivations to quickly design new, customized malware to combine with existing ones to target organizations across the world.

Another Lazarus campaign

  • Lazarus was, in addition to the above, found targeting energy providers in the U.S., Japan, and Canada. The campaign was conducted between February and July this year.
  • It aimed to infiltrate organizations worldwide to establish long-term access and consequently, exfiltrate data of interest to North Korea.
  • The attack chain started with exploiting bugs in VMware products and subsequently deployed two custom implants - YamaBot and VSingle.

The bottom line

Lazarus APT has become the most common source of North Korean cyber activity, ranging from cyberespionage to crypto theft to extortion. Moreover, Lazarus is an umbrella term that consists of several other North Korean cyber gangs. This APT group is an ongoing and significant threat that has been evolving with the changing times.
Cyware Publisher