The YamaBot Malware is a hurtful threat that is being linked to the North Korean APT (Advanced Persistent Threat) cybercriminal organization known as the Lazarus Group. This particular malware strain is written in the Go programming language and its targets have been primarily been located in Japan. The cybercriminals have created different YamaBot versions, depending on the specific systems they want to infect. Initially, YamaBot was leveraged only against Linux OS servers, but a newer version capable of impacting Windows OS devices has been uncovered.
The exact functionality of YamaBot differs between the two versions. For starters, the initial information about the infected system gathered by the malware includes hostnames, usernames, and MAC addresses on Windows and only hostnames and usernames on Linux. Furthermore, the Linux version can only execute shell commands via /bin/sh.
However, on Windows, YamaBot can obtain file and directory lists, fetch additional files, modify the system's sleep time, execute shell commands and delete itself from the machine. For unknown reasons, the attackers have created the YamaBot threat to return the results of executed commands in German as well. As for its communication with the threatening operation's Command-and-Control server (C2, C&C), the threat utilizes HTTP requests.