Security research organization Cisco Talos recently disclosed a notorious cyber threat group linked to North Korea.Lazarus Group". This operation was named "Operation Blacksmith" and was characterized by usingLog4j vulnerability(CVE-2021-44228, also known asLog4Shell) to deploy a previously unknown remote access Trojan (RAT) on the target system.
Talossecurity expertJung soo An, Asheer Malhotra, and Vitor Ventura revealed that Lazarus Group used three malware families based on the DLang language to perform attacks, including NineRAT RAT, DLRAT, and a downloader called BottomLoader that uses Telegram as a command and control (C2) channel. device.
A technical report pointed out that the new tactics adopted in this operation have significant overlap with the behavioral patterns of Andariel, a sub-cluster of Lazarus (also known as Onyx Sleet or Silent Chollima). Andariel typically focuses on initial access, reconnaissance, and establishing long-term access to support the North Korean government’s strategic interests.
The target attack chain is mainly concentrated in the manufacturing, agricultural and physical security fields, through attacks on publicly accessible VMWare Horizon servers, and since it was first developed in May 2022, NineRAT has been deployed in multiple attacks, including There were attacks on South American agricultural organizations in March this year and attacks on European manufacturing entities in September.
Data shows that even after two years of public disclosure, 2.8% applications still use the Log4j version with security vulnerabilities, while the 3.8% application uses the Log4j 2.17.0 version, which is immune to the CVE-2021-44228 attack. Vulnerable to CVE-2021-44832.
After a successful infection, NineRAT performs another system fingerprinting through Telegram-based C2 communications, which indicates that the data collected by Lazarus through NineRAT may be shared with other APT groups and stored separately from the originally collected data.
The report also revealed that a custom proxy tool called HazyLoad was used in the attack to exploit a critical security vulnerability in JetBrains TeamCity (CVE-2023-42793, CVSS score 9.8). HazyLoad is typically downloaded and executed via malware called BottomLoader.
In addition, Operation Blacksmith also involved the deployment of DLRAT, which is not only a downloader but also a RAT that can perform system reconnaissance, deploy other malware, receive C2 commands and execute them on the infected system.
On the other hand, the South Korean Security Emergency Response Center (ASEC) released a report detailing another North Korean APT group Kimsuky (also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Nickel Kimball and Velvet) related to Lazarus Chollima), the group conducts spear phishing attacks with decoy attachments and links.
Original article by Chief Security Officer, if reproduced, please credit https://www.cncso.com/en/lazarus-group-exploits-log4j-vulnerability.html
