The notorious cybercriminal group linked to North Korea, known as the Lazarus Group, has been tied to a new global campaign involving the opportunistic exploitation of security vulnerabilities in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts.
Cisco Talos is monitoring the activity under the name Operation Blacksmith, noting the use of three DLang-based malware families, including a RAT called NineRAT that uses Telegram for command and control (C2), DLRAT and a downloader called BottomLoader.
How the Lazarus Group acted this time
The cybersecurity firm described the Lazarus Group's latest tactics as a definitive change that overlaps with the cluster broadly traced as Andariel (aka Onyx Sleet or Silent Chollima), a subgroup within the Lazarus umbrella.
“Andariel is generally in charge of initial access, reconnaissance and establishing long-term access for espionage in furtherance of the North Korean government's national interests“talos researchers Jung soo An, Asheer Malhotra and Vitor Ventura said in a relationship technician.
Attack chains involve the exploitation of CVE-2021-44228 (also known as Log4Shell) against publicly accessible VMWare Horizon servers to deliver NineRAT; some of the hardest hit sectors include manufacturing, agriculture and physical security.
The abuse of Log4Shell is not surprising, given that 2.8% of applications still use vulnerable versions of the library (2.0-beta9 to 2.15.0) two years after public disclosuresecond Veracodewith another 3.8% using Log4j 2.17.0, which, while not vulnerable to CVE-2021-44228, is susceptible to CVE-2021-44832.
NineRAT, first developed around May 2022, appears to have been used as early as March 2023 in a targeted attack on a South American agricultural organization and then again in September 2023 on a European manufacturing entity; using a legitimate messaging service like Telegram for C2 communicationsthe goal is to avoid detection.
The malware disseminated by the Lazarus Group acts as the main means of interaction with the infected endpoint, allowing attackers to send commands to gather system informationupload files of interest, download additional files, and even uninstall and update.
“Once activated NineRAT accepts preliminary commands from the Telegram-based C2 channel, to re-fingerprint infected systems“, the researchers noted.
Also used in attacks after the initial reconnaissance, there is a custom proxy tool called HazyLoad previously identified by Microsoft as used by the Nordic hacker group as part of intrusions exploiting critical vulnerabilities in JetBrains TeamCity (CVE-2023-42793, CVSS score: 9.8); HazyLoad is downloaded and executed through another malware called BottomLoader.
Furthermore, Operation Blacksmith has also been seen to deploy DLRAT, which is both a downloader and a RAT capable of system reconnaissancedeploy additional malware, and retrieve commands from C2 and execute them on compromised systems.
“Multiple tools offering an overlapping gateway provide the Lazarus Group with redundancies in the event a tool is discovered, enabling highly persistent access“said the researchers.
Andariel's exploitation of Log4Shell is not new, as the hacking group has used the vulnerability as an initial entry vector in the past to deliver a remote access trojan called EarlyRat.
The disclosure comes as the AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky's use of AutoIt malware versions such as Amadey and RftRAT and their distribution via spear-phishing attacks with insidious attachments and links in an attempt to bypass security products.
Kimsukya group also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Nickel Kimball and Velvet Chollima, is an element that operates under North Korea's Reconnaissance General Bureau (RGB), which also hosts the Lazarus Group.
Was sanctioned by the United States Department of the Treasury on November 30, 2023, for the collection of information to support the regime's strategic objectives.
“After taking control of the infected system, to exfiltrate information, Kimsuky group installs various malware such as keyloggers and tools to extract accounts and cookies from web browsers“, has declared ASEC in an analysis published last week.
#Lazarus #Group #Log4j #exploits #distribute #trojans