December 11, 2023 at 11:22AM
North Korean hackers, under the Andariel group within the Lazarus collective, continue to exploit Log4Shell by launching attacks using new remote access Trojans written in the “D” programming language. These attacks illustrate their uniqueness as they exploit rare programming languages to evade detection, adding complexity to malware detection efforts. Their recent targets include organizations in South America, Europe, and the U.S.
The meeting notes provide a detailed overview of the recent cyber activities conducted by North Korean hackers, specifically the group “Andariel” within the Lazarus collective. The hackers have been exploiting the Log4Shell vulnerability and have recently launched attacks using novel remote access Trojans (RATs) written in the rarely seen “D” (dlang) programming language.
Andariel has targeted various organizations worldwide, including those in South America, Europe, and America. They have employed unique malware written in the obscure programming language “D” to evade detection and analysis, a strategy that sets them apart from other cybercrime groups.
The hackers’ latest attacks began with the exploitation of exposed VMware Horizon servers vulnerable to Log4Shell. After intrusion, they established persistence with a custom proxy tool named “HazyLoad” and deployed new users with administrative privileges to carry out further malicious activities, including the use of custom malware tools such as “NineRAT,” “DLRAT,” and “BottomLoader.”
North Korean hackers, particularly those within Lazarus, are known for their use of uncommon programming languages and custom malware to avoid traditional detection methods. This tactic challenges typical malware detection systems and demands extra vigilance from targeted organizations.
In summary, the meeting notes emphasize the unique and sophisticated approach of North Korean hackers, particularly Andariel, and the need for organizations to remain vigilant and adapt their detection and response strategies accordingly.