Lazarus Targets the Continued Relevance of the Log4j Vulnerability

The North Korean state-sponsored threat group, Lazarus Group, has been identified in a report by researchers from Cisco Talos to continue utilizing the now two-year-old Log4J vulnerability, CVE-2021-44228, for initial access. This campaign, tracked as "Operation Blacksmith," has been active since March 2023 and is observed to have overlaps with the North Korean threat group, Andariel APT group (aka Onyx Sleet, formerly PLUTIONIUM). According to Talos, the Lazarus group is seen as an umbrella of sub-groups supporting various objectives of North Korea in defense, politics, national security, and research and development. Talos further explains Andariel's role, stating it is "typically tasked with initial access, reconnaissance, and establishing long-term access for espionage in support of North Korean government interests."

Operation Blacksmith features three new DLang-based malware being used in attacks against a South American agricultural entity and a manufacturing organization in Europe. The three malware, named “NineRAT,” “DLRAT,” and "BottomLoader," demonstrate North Korean actors' willingness to experiment with new toolsets, following other technologies such as the QtFramework and the PowerBasic compiler. Regarding the two RATs, NineRAT is capable of communicating with Telegram for its command-and-control, whereas DLRAT functions as the non-Telegram RAT. NineRAT, operating through Telegram as a C2 channel, exhibited advanced functionalities, including reconnaissance, file transfers, and self-destruction capabilities. DLRAT, a RAT and downloader, focused on system reconnaissance, while BottomLoader specialized in downloading and executing additional payloads, such as the proxy tool "HazyLoad."

The campaign unfolded in two phases. In the initial phase, Lazarus exploited the Log4j vulnerability to gain access to publicly facing VMWare Horizon servers, targeting various sectors, including manufacturing, agriculture, and physical security. HazyLoad, a custom proxy tool, facilitated continued access. Cisco Talos described HazyLoad as a "common artifact" during the observed campaign. Various discovery commands were executed in the first stage to gather system information and security products. Aiding credential theft, the WDigest authentication protocol was modified to enable caching of passwords in plaintext. Added persistence was enabled through the HazyLoad proxy tool along with the creation of a new user account added to the admin group. Cisco Talos reports hands-on keyboard activity followed once the new privileged user account was established, as threat actors dumped credentials from LSASS using ProcDump and Mimikatz. In the second and final phase, the attackers deployed NineRAT, leveraging Telegram for C2 communication.

Lazarus Group's Operation Blacksmith exemplifies the evolving sophistication of nation-state cyber threats, combining DLang-based malware with the exploitation of enduring vulnerabilities like Log4j. The abuse of the Log4j vulnerability is concerning, as echoed in Veracode's report, indicating a substantial 38% of applications, spanning from Log4j versions 1.2.x to 2.17.0, persist in using insecure Log4j versions. Organizations must urgently address the prevalent abuse of outdated Log4j versions, emphasizing the critical importance of patching and updating to mitigate the risk posed by known vulnerabilities.