Lazarus Group Exploits Log4j Security Flaws to Launch Global Cyberattack Campaign

December 11, 2023

The Lazarus Group, a North Korea-associated threat actor, has launched a global campaign exploiting Log4j vulnerabilities to deploy new remote access trojans (RATs). Cisco Talos is monitoring the situation, which it has named Operation Blacksmith. The campaign utilizes three malware families coded in DLang, including a RAT known as NineRAT that uses Telegram for command-and-control (C2), DLRAT, and a downloader named BottomLoader. The cybersecurity firm noted a definitive shift in the adversary's tactics, which appear to overlap with Andariel, a sub-group within the Lazarus Group.

The attack chains exploit the CVE-2021-44228 vulnerability (also known as Log4Shell) against publicly accessible VMWare Horizon servers to deliver NineRAT. The main sectors targeted include manufacturing, agriculture, and physical security. The use of Log4Shell is unsurprising, as 2.8 percent of applications are still using vulnerable versions of the library, according to Veracode. Another 3.8% use Log4j 2.17.0, which is vulnerable to CVE-2021-44832.

NineRAT, first developed in May 2022, was reportedly used as early as March 2023 to target a South American agricultural organization and then again in September 2023 on a European manufacturing entity. By using a legitimate messaging service for C2 communications, the attackers aim to evade detection. The malware acts as the primary interaction method with the infected endpoint, allowing the attackers to send commands to gather system information, upload files of interest, download additional files, and even uninstall and upgrade itself.

After initial reconnaissance, the attackers also use a custom proxy tool called HazyLoad, previously identified by Microsoft as used by the threat actor in intrusions exploiting critical security flaws in JetBrains TeamCity (CVE-2023-42793). HazyLoad is downloaded and executed by another malware called BottomLoader. Operation Blacksmith has also been observed delivering DLRAT, a downloader and a RAT designed to perform system reconnaissance, deploy additional malware, and retrieve and execute commands from the C2 in the compromised systems.

The Lazarus Group's use of multiple tools providing overlapping backdoor entry gives them redundancies in case a tool is discovered, enabling highly persistent access. This disclosure follows reports from the AhnLab Security Emergency Response Center (ASEC) detailing the use of AutoIt versions of malware such as Amadey and RftRAT by Kimsuky, another North Korea-linked threat actor. Kimsuky, also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Nickel Kimball, and Velvet Chollima, operates under North Korea's Reconnaissance General Bureau (RGB), which also houses the Lazarus Group.

Related News

• CISA Issues Cybersecurity Guidelines for Healthcare and Public Health Entities
• North Korean Hacking Groups Exploit TeamCity Vulnerability to Breach Networks
• Ransomware Groups Exploiting Critical TeamCity RCE Flaw
• Critical Vulnerability in TeamCity CI/CD Server Could Lead to Remote Server Takeover

Latest News

• Apple Releases Emergency Security Updates to Address Zero-Day Flaws on Older Devices
• Russian APT28 Exploits Outlook Flaw to Target EU NATO Members
• Critical Bluetooth Security Flaw Threatens Multiple Operating Systems
• Critical Adobe ColdFusion Exploit Used to Breach U.S. Government Servers
• Google Addresses Critical Zero-Click RCE in Android's December 2023 Security Updates