Lazarus group linked to malicious VMConnect campaign

Research by ReversingLabs has linked the campaign, named VMConnect, to Lazarus based on its discovery of malicious Python packages on the PyPI software repository.

 Clothing, Hood, Person, Computer, Electronics, Laptop, Pc, Computer Hardware, Hardware, Monitor, Screen, Coat, Knitwear, Sweater

A malicious campaign known as VMConnect, which targeted macOS, Linux, and Windows systems, has been attributed to the North Korean threat group Lazarus, according to cybersecurity researchers at ReversingLabs. The campaign involved the distribution of malicious Python packages on the PyPI software repository. ReversingLabs first discovered the VMConnect campaign in early August when they identified two dozen “malicious Python packages” on the openly accessible PyPI software repository. They later uncovered three more packages, tableditor, request-plus, and requestspro, that belong to the VMConnect family.

Analysis of the malicious packages and their decrypted payloads revealed links to previous campaigns attributed to Labyrinth Chollima, an offshoot of the Lazarus Group. The JPCERT, a Japanese computer emergency response team, previously reported similar malware samples targeting Windows, macOS, and Linux systems, further supporting the association with the VMConnect campaign. CrowdStrike, a leading cybersecurity company, also attributed the malware to Labyrinth Chollima, affirming the connection to the Lazarus Group.

The VMConnect campaign included deceptive techniques such as typosquatting and appropriation of legitimate package descriptions to make the malicious payloads appear trustworthy.