Lazarus exploit Log4Shell vulnerability to deliver novel RAT malware

North Korea-backed group Lazarus has been spotted exploiting the Log4Shell vulnerability (CVE-2021-44228) and novel malware written in DLang (i.e., the memory-safe D programming language).

“This campaign consists of continued opportunistic targeting of enterprises globally that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation such as CVE-2021-44228. We have observed Lazarus target manufacturing, agricultural and physical security companies,” Cisco Talos researchers shared.

Log4Shell still opens doors

Log4Shell is a critical remote code execution (RCE) vulnerability in Apache Log4j – a popular and widely used Java logging library – that was discovered and privately disclosed in late November, 2021, patched on December 6, and quickly started getting exploited by attackers.

Two years later, 38 percent of applications still use a vulnerable version of Log4j, according to Veracode.

Deploying novel DLang-based malware

Dubbed “Operation Blacksmith” by Cisco Talos, the attack started with the threat actors gaining initial access by exploiting the Log4Shell vulnerability in publicly facing VMWare Horizon servers.

After a successful exploit, the attackers performed extensive reconnaissance and finally OS credential dumping.

Then they deployed HazyLoad – a custom-made proxy tool – to gain continuous access, create a new local user account, and download credential dumping tools (ProcDump, MimiKatz), as well as a novel DLang-based remote access trojan (RAT) called NineRAT, which was first spotted in a campaign in March 2023.

NineRAT uses Telegram for command and control (C2) communication, transfering files and evading detection. It also uses a dropper binary to gain persistence and execute additional binaries.

Infection chain observed in Operation Blacksmith. (Source: Cisco Talos)

The researchers also discovered two more DLang-based malware families used by Lazarus in this campaign:

• DLRAT is a RAT and a downloader that allows attackers to perform system reconnaissance, deploy additional malware, fetch C2 commands and execute them on the endpoints
• BottomLoader is “simply a downloader” that retrieves and executes payloads, such as HAzyLoad, from a remote host

North Korean hackers are shifting tactics

In the last year and a half, North Korean threat actors have started using uncommon technologies to write malware: DLang, the Qt Framework and PowerBasic.

Talos researchers have found similarities between these and the attacks conducted in October, 2023 by a North Korea-backed hacking group named Onyx Sleet (aka PLUTONIUM or Andariel).

“Talos agrees with other researchers’ assessment that the Lazarus APT is essentially an umbrella of sub-groups that support different objectives of North Korea in defense, politics, national security and research and development. Each sub-group operates its own campaigns and develops and deploys bespoke malware against their targets, not necessarily working in full coordination,” Cisco Talos researchers said.

“Andariel is typically tasked with initial access, reconnaissance and establishing long-term access for espionage in support of North Korean government interests. In some cases, Andariel has also conducted ransomware attacks against healthcare organizations.”