Lazarus Group Resurfaces, Exploiting Log4j Vulnerability and Spreading MagicRAT

[post-views]
September 12, 2022 · 3 min read
Lazarus Group Resurfaces, Exploiting Log4j Vulnerability and Spreading MagicRAT

Lazarus Group, also known as APT38, Dark Seoul, Hidden Cobra, and Zinc, has garnered a reputation as a highly-qualified and well-funded state-sponsored cluster of criminal hackers, wreaking havoc since 2009.

In the most recent campaign, Lazarus deployed novel MagicRAT malware after exploiting vulnerabilities in VMWare Horizon platforms, such as a high-profile Log4j flaw. The notorious APT aimed this series of attacks at a number of energy companies in the U.S., Japan, and Canada.

Detect Lazarus Group Activity

To identify possible attacks and remediate the novel Lazarus spear phishing compromise, opt for downloading a batch of free Sigma rules. The content was released by our keen Threat Bounty developer Emir Erdogan:

Highly Suspicious Scheduled Task Creation Of Lazarus APT Group Activity (MagicRAT detection via process_creation)

Highly Suspicious Lazarus APT Group Acitivity (MagicRAT detection via file_creation)

Highly Possible Lazarus APT Group RAT Usage (via process_creation)

The Sigma rules are effortlessly convertible to 26 SIEM, EDR, and XDR solutions and are aligned with the MITRE ATT&CK® framework v.10.

The complete list of detections related to the Lazarus APT is available in the Cyber Threats Search Engine – the industry-first free tool for in-depth cyber threat information and relevant context with sub-second search performance. SOC Prime’s search engine, powered by the innovative Detection as Code platform, helps SOC professionals to streamline threat detection operations by serving as an instant source of Sigma rules and relevant contextual information, including MITRE ATT&CK references, attack trends visualization, and threat intelligence insights. Press the Explore Detections button to learn more.

Explore Detections  

Latest Lazarus’ Attack Campaign Analysis

Cisco Talos released an overview of the new malicious campaign launched by North Korea’s Lazarus Group. Adversaries have introduced a new bespoke implant – a remote access trojan written in C++. The piece of malware, dubbed MagicRAT, performs system reconnaissance, allows to establish persistence by scheduled task creation, also enabling its operators to run arbitrary code and modify files. Additionally, the new RAT fetches additional payloads. According to the research data, threat actors use MagicRAT samples along with other custom-built RATs, such as TigerRAT. The studied examples were programmed with Qt Framework to complicate human analysis.

Based on observed attacks and news reports, we may derive that this North Korean nation-backed collective is expanding its reach with greater reliance upon different tools and techniques, regularly stirring up troubles for SOC professionals.

Every day, we publish detections for the latest threats, steering security professionals through the volatile threat landscape. With an On Demand subscription plan, you can save time and improve performance by instantly unlocking the content of your choice. Hop on the latest trends and bolster your organization’s cyber resilience with industry-specific solutions provided by SOC Prime. 

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts