December 11, 2023 at 09:12AM
The Lazarus Group, a North Korea-linked threat actor, has launched a global campaign exploiting Log4j security flaws to deploy remote access trojans. Cisco Talos named the operation “Operation Blacksmith,” noting the use of DLang-based malware families. The group’s tactics overlap with Andariel, targeting various sectors and using NineRAT through a legitimate messaging service.
Based on the meeting notes, the key takeaways are:
1. The Lazarus Group has been linked to a new global campaign involving the exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs).
2. The campaign, known as Operation Blacksmith, uses three DLang-based malware families, including NineRAT, which leverages Telegram for command-and-control (C2), DLRAT, and a downloader dubbed BottomLoader.
3. The Lazarus Group’s tactics in this campaign overlap with the cluster widely tracked as Andariel, a sub-group within the Lazarus umbrella, which is typically tasked with initial access, reconnaissance, and establishing long term access for espionage in support of the North Korean government’s national interests.
4. The attack chains involve the exploitation of CVE-2021-44228 (aka Log4Shell) against publicly-accessible VMWare Horizon servers to deliver NineRAT, targeting sectors such as manufacturing, agriculture, and physical security.
5. The NineRAT malware is designed to evade detection by using a legitimate messaging service for C2 communications and acts as the primary means of interaction with the infected endpoint, enabling the attackers to gather system information, upload files of interest, download additional files, and uninstall and upgrade itself.
6. The Lazarus Group utilizes a custom proxy tool called HazyLoad and DLRAT, which is both a downloader and a RAT equipped to perform system reconnaissance, deploy additional malware, and retrieve commands from the C2 to execute them in the compromised systems.
7. Kimusky, an element operating under North Korea’s Reconnaissance General Bureau (RGB) and also part of the Lazarus Group, has been detailed in its use of AutoIt versions of malware such as Amadey and RftRAT in spear-phishing attacks to bypass security products and gather intelligence to support the regime’s strategic objectives.
Please let me know if there is anything else I can assist you with.