Lazarus group linked to malicious VMConnect campaign
Research by ReversingLabs has linked the campaign, named VMConnect, to Lazarus based on its discovery of malicious Python packages on the PyPI software repository.
A malicious campaign known as VMConnect, which targeted macOS, Linux, and Windows systems, has been attributed to the North Korean threat group Lazarus, according to cybersecurity researchers at ReversingLabs. The campaign involved the distribution of malicious Python packages on the PyPI software repository. ReversingLabs first discovered the VMConnect campaign in early August when they identified two dozen “malicious Python packages” on the openly accessible PyPI software repository. They later uncovered three more packages, tableditor, request-plus, and requestspro, that belong to the VMConnect family.
Analysis of the malicious packages and their decrypted payloads revealed links to previous campaigns attributed to Labyrinth Chollima, an offshoot of the Lazarus Group. The JPCERT, a Japanese computer emergency response team, previously reported similar malware samples targeting Windows, macOS, and Linux systems, further supporting the association with the VMConnect campaign. CrowdStrike, a leading cybersecurity company, also attributed the malware to Labyrinth Chollima, affirming the connection to the Lazarus Group.
The VMConnect campaign included deceptive techniques such as typosquatting and appropriation of legitimate package descriptions to make the malicious payloads appear trustworthy.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.