Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans
The notorious North Korea-linked threat actor known as the Lazarus Group has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts.
Cisco Talos is tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based malware families, including a RAT called NineRAT that leverages Telegram for command-and-control (C2), DLRAT, and a downloader dubbed BottomLoader.
The cybersecurity firm described the latest tactics of the adversary as a definitive shift and that they overlap with the cluster widely tracked as Andariel (aka Onyx Sleet or Silent Chollima), a sub-group within the Lazarus umbrella.
“Andariel is typically tasked with initial access, reconnaissance and establishing long term access for espionage in support of the North Korean government’s national interests,” Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura said in a technical report shared with The Hacker News.
Attack chains involve the exploitation of CVE-2021-44228 (aka Log4Shell) against publicly-accessible VMWare Horizon servers to deliver NineRAT. Some of the prominent sectors targeted include manufacturing, agriculture, and physical security.
The abuse of Log4Shell is not surprising given the fact that 2.8 percent of applications are still using vulnerable versions of the library (from 2.0-beta9 through 2.15.0) after two years of public disclosure, according to Veracode, with another 3.8% using Log4j 2.17.0, which, while not vulnerable to CVE-2021-44228, is susceptible to CVE-2021-44832.
NineRAT, first developed around May 2022, is said to have been put to use as early as March 2023 in an attack aimed at a South American agricultural organization, and then again in September 2023 on a European manufacturing entity. By using a legitimate messaging service like Telegram for C2 communications, the goal is to evade detection.
The malware acts as the primary means of interaction with the infected endpoint, enabling the attackers to send commands to gather system information, upload files of interest, download additional files, and even uninstall and upgrade itself.
“Once NineRAT is activated it accepts preliminary commands from the telegram based C2 channel, to again fingerprint the infected systems,” the researchers noted.
“Re-fingerprinting of infected systems indicates that the data collected by Lazarus via NineRAT may be shared by other APT groups and essentially resides in a different repository from the fingerprint data collected initially by Lazarus during their initial access and implant deployment phase.”
Also used in the attacks after initial reconnaissance is a custom proxy tool called HazyLoad that was previously identified by Microsoft as used by the threat actor as part of intrusions weaponizing critical security flaws in JetBrains TeamCity (CVE-2023-42793, CVSS score: 9.8). HazyLoad is downloaded and executed by means of another malware called BottomLoader.
Furthermore, Operation Blacksmith has been observed delivering DLRAT, which is both a downloader and a RAT equipped to perform system reconnaissance, deploy additional malware, and retrieve commands from the C2 and execute them in the compromised systems.
Cisco Talos told The Hacker News that “DLRAT is another iteration in the Lazarus trend, that started with MagicRAT, using exotic/uncommon languages and frameworks, along with modular malware in order to avoid detection.”
“The multiple tools giving overlapping backdoor entry present Lazarus Group with redundancies in the event a tool is discovered, enabling highly persistent access,” the researchers said.
The exploitation of Log4Shell by Andariel is not new, for the hacking crew has used the vulnerability as an initial access vector in the past to deliver a remote access trojan referred to as EarlyRat.
The disclosure comes as the AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of AutoIt versions of malware such as Amadey and RftRAT and distributing them via spear-phishing attacks bearing booby-trapped attachments and links in an attempt to bypass security products.
Kimusky, also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima, is an element operating under North Korea’s Reconnaissance General Bureau (RGB), which also houses the Lazarus Group.
It was sanctioned by the U.S. Treasury Department on November 30, 2023, for gathering intelligence to support the regime’s strategic objectives.
“After taking control of the infected system, to exfiltrate information, the Kimsuky group installs various malware such as keyloggers and tools for extracting accounts and cookies from web browsers,” ASEC said in an analysis published last week.
It also follows the discovery of a new Konni-linked phishing campaign that uses a malicious executable file disguised as a Microsoft Word file to deliver a backdoor that “receives obfuscated commands from the threat actor and executes them in XML format.”
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.