The Lazarus Group [1] [2] [3] [4] [5] [6] [7], a threat actor linked to North Korea, has been identified as the perpetrator of a global campaign known as Operation Blacksmith [7]. This campaign exploits the Log4Shell vulnerability to deploy remote access trojans on compromised hosts [7], targeting sectors such as manufacturing [7], agriculture [1] [2] [3] [4] [5] [6] [7], and physical security [1] [2] [3] [4] [5] [6] [7].
Description
The Lazarus Group [1] [2] [3] [4] [5] [6] [7], utilizing the Log4Shell vulnerability (CVE-2021-44228) [4], conducts a global campaign called Operation Blacksmith [2] [7]. This group specifically targets sectors like manufacturing, agriculture [1] [2] [3] [4] [5] [6] [7], and physical security [1] [2] [3] [4] [5] [6] [7]. They exploit the vulnerability in publicly facing VMWare Horizon servers [1] [4], allowing them to deploy remote access trojans (RATs) on compromised hosts [7]. After successfully exploiting the vulnerability, the Lazarus Group conducts extensive reconnaissance and establishes direct access to the compromised system using a custom-made implant called HazyLoad. They create a local user account with administrative privileges and employ credential dumping utilities like ProcDump and MimiKatz [4]. In the second phase [4], the group deploys a RAT called NineRAT, which utilizes Telegram for command-and-control communication [7]. Notably, NineRAT is written in DLang [4], indicating a departure from traditional frameworks [4]. The Lazarus Group may share the data collected via NineRAT with other Advanced Persistent Threat (APT) groups [4]. NineRAT has been active since May 2022 and has been used in attacks on organizations in South America and Europe [7]. This malware allows the attackers to gather system information [7], upload and download files [7], and even uninstall and upgrade itself [7]. Additionally, the Lazarus Group employs a custom proxy tool called HazyLoad and a downloader called BottomLoader [2] [6] [7]. They also utilize DLRAT, which serves as both a downloader and a RAT capable of system reconnaissance and executing commands from the command-and-control [7]. The Lazarus Group’s use of Log4Shell as an initial access vector is not new [7], as they have previously used it to deliver a remote access trojan called EarlyRat [7]. Cisco Talos has tracked the Lazarus Group’s activity and identified their overlap with a subgroup called Andariel, which focuses on initial access and espionage for North Korea’s interests [6]. The Lazarus Group’s attack chain involves exploiting the Log4Shell vulnerability in VMWare Horizon servers to deliver NineRAT [6]. The tactics employed by the Lazarus Group align with Andariel’s objectives. The Lazarus Group’s continued use of Log4Shell is emphasized due to the prevalence of vulnerable versions of the library in applications [6]. Cisco Talos has observed three notable Andariel attacks using Log4Shell [3] [5], targeting an agriculture organization in South America [3] [5], a European manufacturing company [3] [5] [6], and an American subsidiary of a Korean physical security company [3] [5]. The group deploys malware written in the uncommon programming language “D” to evade detection and analysis [3] [5]. It is important to exercise extra vigilance and understanding when dealing with Lazarus attacks due to their unique approach [3]. The Lazarus Group’s use of multiple tools provides redundancies in case of discovery [2], enabling persistent access [2].
Conclusion
The Lazarus Group’s global campaign, Operation Blacksmith [1] [2] [4] [6] [7], poses significant threats to various sectors, including manufacturing [2] [6], agriculture [1] [2] [3] [4] [5] [6] [7], and physical security [1] [2] [3] [4] [5] [6] [7]. The exploitation of the Log4Shell vulnerability allows them to deploy remote access trojans and gain unauthorized access to compromised systems. The group’s use of custom-made implants, RATs [2] [3] [5] [6] [7], and unique programming languages like DLang demonstrates their sophistication and evasion techniques. It is crucial for organizations to exercise extra vigilance and understanding when dealing with Lazarus attacks [3]. Mitigations should include patching vulnerable versions of the Log4Shell library and implementing strong security measures to prevent unauthorized access. The Lazarus Group’s continued use of Log4Shell and their collaboration with the Andariel subgroup highlight the need for ongoing monitoring and intelligence sharing to detect and respond to their activities effectively.
References
[1] https://ciso2ciso.com/lazarus-group-targets-log4shell-flaw-via-telegram-bots-source-www-infosecurity-magazine-com/
[2] https://vulnera.com/newswire/lazarus-group-exploits-log4j-security-flaws-to-launch-global-cyberattack-campaign/
[3] https://www.darkreading.com/threat-intelligence/lazarus-group-still-juicing-log4shell-rats-written-d
[4] https://www.infosecurity-magazine.com/news/lazarus-group-log4shell-flaw/
[5] https://flyytech.com/2023/12/11/lazarus-group-is-still-juicing-log4shell-using-rats-written-in-d/
[6] https://devel.group/blog/lazarus-group-applies-log4j-exploits-to-deploy-remote-access-trojans/
[7] https://thehackernews.com/2023/12/lazarus-group-using-log4j-exploits-to.html