YamaBot Malware Employed by Lazarus Group

YamaBot is the name of a piece of malware, employed by the threat actor that goes by the name of Lazarus group.

YamaBot is also known by the name Kaos and is written and compiled in the Go programming language - an increasingly popular choice with malware authors.

The malware can communicate with its command and control server infrastructure using encrypted commands and HTTP requests. The malware can send back and forth information on the infected system's hostname, MAC address and current username.

The tools available to the malware change depending on the underlying platform it was deployed on. YamaBot instances targeting Linux machines only use shell commands through /bin/sh, while instances targeting Windows systems use a number of different commands that can obtain directory and file information, download files, execute strings using shell commands and delete YamaBot.

The Windows version of the malware was internally named YamaBot by its authors and the versions targeting Linux are internally referred to as Kaos.

Security researchers are warning against attacks using the YamaBot malware as Lazarus is a prominent and dangerous threat actor.

August 5, 2022