Lazarus Group uses Log4j exploits to deploy remote access Trojans

Lazarus Group Exploits

The infamous North Korea-linked threat actor known as the Lazarus group has been attributed to a new global campaign that is opportunistically exploiting security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts.

Cisco Talos is monitoring the activity under the name Operation Blacksmith and notes the use of three DLang-based malware families, including a RAT called NineRAT that uses Telegram for command-and-control (C2), DLRAT, and a downloader called BottomLoader.

The cybersecurity firm described the adversary’s latest tactics as a definitive shift and that they overlap with the cluster commonly tracked as Andariel (also known as Onyx Sleet or Silent Chollima), a subgroup within the Lazarus umbrella.

“Andariel is typically charged with initial access, reconnaissance, and establishing long-term access for espionage in support of the North Korean government’s national interests,” said Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura in a technical investigation. report shared with The Hacker News.

Attack chains include exploiting CVE-2021-44228 (aka Log4Shell) against publicly accessible VMWare Horizon servers to deliver NineRAT. Some of the prominent sectors they focus on include manufacturing, agriculture, and physical security.

The exploitation of Log4Shell is not surprising considering that after two years of public disclosure, 2.8 percent of applications are still using vulnerable versions of the library (from 2.0-beta9 through 2.15.0). Veracodewith another 3.8% using Log4j 2.17.0, which, while not vulnerable to CVE-2021-44228, is susceptible to CVE-2021-44832.

NineRAT, first developed around May 2022, is said to have been used as early as March 2023 in an attack targeting a South American agricultural organization, and then again against a European manufacturing facility in September 2023. By using a legitimate messaging service like Telegram for C2 communications, the goal is to evade detection.

The malware acts as the main means of interaction with the infected endpoint, allowing the attackers to send commands to collect system information, upload files of interest, download additional files, and even uninstall and upgrade themselves.

“Once NineRAT is activated, it accepts preliminary commands from the telegram-based C2 channel, to re-fingerprint the infected systems,” the researchers noted.

1703068680 336 Lazarus Group uses Log4j exploits to deploy remote access Trojans

“The reprinting of fingerprints on infected systems indicates that the data collected by Lazarus through NineRAT may be shared by other APT groups and is essentially in a different repository than the fingerprint data initially collected by Lazarus during their initial access and implant implementation phase.”

Also used in the attacks after the initial reconnaissance is a custom proxy tool called HazyLoad that was previously identified by Microsoft as being used by the threat actor as part of intrusions that weaponize critical security flaws in JetBrains TeamCity (CVE-2023-42793, CVSS score: 9.8). HazyLoad is downloaded and executed using another malware called BottomLoader.

Additionally, Operation Blacksmith has been observed to provide DLRAT, a downloader and a RAT equipped to perform system reconnaissance, deploy additional malware, and retrieve commands from the C2 and execute them on the affected systems.

Cisco Talos told The Hacker News that “DLRAT is a new iteration in the Lazarus trend, which started with MagicRAT, using exotic/uncommon languages ​​and frameworks along with modular malware to avoid detection.”

“The multiple tools providing overlapping backdoor access provide Lazarus Group with redundancy if a tool is discovered, enabling highly persistent access,” the researchers said.

Andariel’s exploitation of Log4Shell is not new, as the hacking crew has used the vulnerability in the past as an initial access vector to deliver a remote access trojan called EarlyRat.

The revelation comes as the AhnLab Security Emergency Response Center (ASEC) details Kimsuky’s use of AutoIt versions of malware such as Amadey and RftRAT and spreading them via spear-phishing attacks using booby-trapped attachments and links in an attempt to steal security products to circumvent.

Kimusky, also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Nickel Kimball and Velvet Chollima, is an element operating under the North Korean Reconnaissance General Bureau (RGB), which also includes the Lazarus Group housed.

It was approved by the US Treasury Department on November 30, 2023 for gathering intelligence in support of the regime’s strategic objectives.

“After taking control of the infected system, the Kimsuky Group installs various malware to exfiltrate information, such as keyloggers and tools for extracting accounts and cookies from web browsers,” ASEC says. said in an analysis published last week.

It also follows the discovery of a new Konni-linked phishing campaign that uses a malicious executable disguised as a Microsoft Word file to provide a back door which “receives obfuscated commands from the threat actor and executes them in XML format.”


#Lazarus #Group #Log4j #exploits #deploy #remote #access #Trojans

Notify of
Inline Feedbacks
View all comments
Previous Post
Researchers expose Sandman APT's hidden link to China-based KEYPLUG Backdoor

Researchers expose Sandman APT’s hidden link to China-based KEYPLUG Backdoor

Next Post
Smishing Attacks

Chinese hackers pose as UAE authorities in latest Smishing wave

Related Posts