Lazarus Group Utilizes Log4j Vulnerability to Deploy New Malware

The Lazarus hacking group, known for its origins in North Korea, continues to exploit the CVE-2021-44228 vulnerability, commonly referred to as “Log4Shell.” Their latest campaign involves the deployment of three new malware types, all developed using the D programming language, a choice likely made to evade detection due to its rarity in cybercrime.

This campaign, dubbed “Operation Blacksmith” by Cisco Talos researchers, began around March 2023 and primarily targets companies in the manufacturing, agriculture, and physical security sectors across the globe. This operation marks a significant evolution in Lazarus’s tactics and tools.

New Malware Deployed The first of the new malware, NineRAT, is a remote access trojan (RAT) that utilizes the Telegram API for command and control (C2) communications. It is capable of executing a variety of commands received through Telegram, including gathering system information, file exfiltration, and updating or uninstalling itself.

NineRAT also features a dropper component for establishing persistence and launching its main binaries on infected systems.

The second malware, DLRAT, serves as both a trojan and a downloader. It begins by collecting and sending preliminary system information to the C2 server. It then awaits further commands, which can include file download and upload, system file manipulation, and entering a dormant state.

The third component discovered is BottomLoader, a malware downloader. It fetches and executes payloads from a specified URL using PowerShell, also modifying the Startup directory for persistence. BottomLoader can exfiltrate files from the infected system to the C2 server.

Exploiting Log4Shell Vulnerability Lazarus leverages the Log4Shell vulnerability to conduct these attacks, primarily targeting VMWare Horizon servers with the outdated Log4j logging library. This allows remote code execution on the servers. Once compromised, Lazarus establishes persistent access, conducts reconnaissance, creates new admin accounts, and deploys credential-stealing tools like ProcDump and MimiKatz.

In a second phase, NineRAT is deployed, providing a wide range of functionalities. Cisco Talos suggests that Lazarus might be sharing the collected data with other advanced persistent threat (APT) groups under their umbrella, based on observed system re-fingerprinting activities, which imply data collection for multiple actors.

This ongoing situation highlights the continued security risks posed by unpatched vulnerabilities like Log4Shell and the evolving nature of cyber threats from groups like Lazarus.

Find the latest supply chain report news at The Supply Chain Report. For international trade tools, see ADAMftd.com.

#LazarusGroup #CyberSecurity #Log4Shell #CVE2021 #OperationBlacksmith #Malware #NineRAT #DLRAT #BottomLoader #CiscoTalos #VMWare #CyberThreats #APT