Lazarus Hackers Exploit Log4Shell Security Flaw to Deploy New RAT Malwares

Hackers connected to North Korean threat group, Lazarus, were observed exploiting Log4Shell vulnerability (aka CVE-2021-44228) to attack organizations worldwide.

Discovered in early 2023, the campaign dubbed ‘’Operation Blacksmith’’ by Cisco Talos researchers, is said to target manufacturing, agricultural and physical security companies worldwide.

‘’Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a previously unknown DLang-based RAT utilizing Telegram as its C2 channel,’’ the advisory disclosed.

Exploiting Log4Shell flaw in publicly facing VMWare Horizon servers, the actors deployed three novel malwares. Of them, two are remote access trojans (RATs) named NineRAT and DLRAT, and the other is a malware downloader named BottomLoader. A definitive shift in Lazaus’ techniques and tools was observed, overlapping with its alleged sub-group, Onyx Sleet, (aka PLUTIONIUM or Andariel).

Upon initial reconnaissance, the hackers set up a proxy tool ״HazyLoad״ for continued access to the infected system. It was also observed that Lazarus, instead of using unauthorized domain-level user accounts, created system-level accounts with administrative privileges.

Another noted deviation observed in their tactic was ‘’downloading and using credential dumping utilities such as ProcDump and MimiKatzs’’ for their hands-on-keyboard activity.

The second phase of the campaign involves the deployment of the novel NineRAT. First identified in March 2023, the DLand-based trojan uses Telegram-based C2 channel for receiving preliminary commands. The malware not only has the ability to uninstall itself from the system but can also perform system re-fingerprinting, in some instances. This allows it to collect data shared by other APT groups.

‘’Re-fingerprinting the infected systems indicates the data collected by Lazarus via NineRAT may be shared by other APT groups and essentially resides in a different repository from the fingerprint data collected initially by Lazarus during their initial access and implant deployment phase,’’ Cisco concludes.