Pierluigi Paganini December 12, 2023

North Korea-linked APT group Lazarus was spotted exploiting Log4j vulnerabilities to deploy previously undocumented remote access trojans.

The North Korea-linked APT group Lazarus is behind a new hacking campaign that exploits Log4j vulnerabilities to deploy previously undocumented remote access trojans (RATs). Cisco Talos researchers tracked the campaign as Operation Blacksmith, the nation-state actors are employing at least three new DLang-based malware families. Two of these malware strains are remote access trojans (RATs), respectively tracked as NineRAT and “DLRAT”. The former relies on Telegram bots and channels for C2 communications.

Talos believes that NineRAT was built around May 2022, but was first spotted on March 2023 as part of Operation Blacksmith.

In March, the threat actors hit a South American agricultural organization. The experts observed the use of NineRAT at around September 2023 against a European manufacturing entity. 

Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell.

Talos researchers reported some overlap with the malicious activities disclosed by Microsoft in October 2023 linked to the APT group Onyx Sleet (aka PLUTIONIUM or Andariel). 

Kaspersky researchers reported in June that the North Korea-linked APT group Andariel used a previously undocumented malware dubbed EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year.

“This particular attack observed by Talos involves the successful exploitation of CVE-2021-44228, also known as Log4Shell, on publicly facing VMWare Horizon servers, as a means of initial access to vulnerable public-facing servers.” reads the analysis published by Talos. “Preliminary reconnaissance follows the initial access leading to the deployment of a custom-made implant on the infected system.”

The Andariel APT (aka Stonefly) has been active since at least 2015, it was involved in several attacks attributed to the North Korean government.

Lazarus APT is an umbrella for sub-groups, each of them has specific objectives in defense, politics, national security, and research and development. Researchers reported that each sub-group conducts independent campaigns, deploying customized malware for specific targets without full coordination. Andariel, for instance, handles initial access, reconnaissance, and establishing long-term access for cyber espionage campaigns. Additionally, Andariel has been involved in ransomware attacks against healthcare organizations in certain instances.

The threat actors also used in Operation Blacksmith the custom proxy tool HazyLoad which was first detailed by Microsoft.

HazyLoad has been delivered through a third DLang malware called BottomLoader.

Below the attack chain observed by Talos in the Operation Blacksmith:

• Initial reconnaissance by Lazarus: The APT group gains initial access through successful exploitation of CVE-2021-44228;
• Lazarus deploys NineRAT;

“NineRAT is written in DLang and indicates a definitive shift in TTPs from APT groups falling under the Lazarus umbrella with the increased adoption of malware being authored using non-traditional frameworks such as the Qt framework, including MagicRAT and QuiteRAT.” concludes the report that includes Indicators of Compromise (IoCs). “Once NineRAT is activated, it accepts preliminary commands from the Telegram-based C2 channel, to again fingerprint the infected systems. Re-fingerprinting the infected systems indicates the data collected by Lazarus via NineRAT may be shared by other APT groups and essentially resides in a different repository from the fingerprint data collected initially by Lazarus during their initial access and implant deployment phase.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT)