Lazarus hackers drop new RAT malware using 2-year-old Log4j bug

Trending 2 months ago

Lazarus hackers

The belled North Korean hacking accumulation accepted as Lazarus continues to accomplishment CVE-2021-44228, aka "Log4Shell," this time to arrange three ahead concealed malware families accounting in DLang.

The new malware are two alien acceptance trojans (RATs) called NineRAT and DLRAT and a malware downloader called BottomLoader.

The D programming language is rarely apparent in cybercrime operations, so Lazarus apparently chose it for new malware development to balk detection.

The campaign, which Cisco Talos advisers codenamed "Operation Blacksmith," started about March 2023 and targets manufacturing, agricultural, and concrete aegis companies worldwide.

Operation Blacksmith represents a notable about-face in approach and accoutrement acclimated by Lazarus, confined as yet addition affirmation of the blackmail group's ever-shifting tactics.

New malware tools

The aboriginal malware, NineRAT, is Lazarus' aboriginal of the two atypical RATs. It uses the Telegram API for command and ascendancy (C2) communication, including accepting commands and exfiltrating files from the breached computer.

NineRAT incorporates a dropper, which is additionally amenable for establishing chain and ablution the capital binaries.

The malware supports the afterward commands, which are acclimatized via Telegram:

  • info – Gather basic advice about the adulterated system.
  • setmtoken – Set a badge value.
  • setbtoken – Set a new Bot token.
  • setinterval – Set time breach amid malware acclamation to the Telegram channel.
  • setsleep – Set a time aeon for which the malware should sleep/lie dormant.
  • upgrade – Upgrade to a new adaptation of the implant.
  • exit – Exit beheading of the malware.
  • uninstall – Uninstall cocky from the endpoint.
  • sendfile – Send a book to the C2 server from the adulterated endpoint.

The additional malware, DLRAT, is a trojan and downloader that Lazarus can use to acquaint added payloads on an adulterated system.

DLRAT's aboriginal action on a accessory is to assassinate hard-coded commands to aggregate basic arrangement advice like OS details, arrangement MAC address, etc., and accelerate it to the C2 server.

The attacker's server replies with the victim's alien IP abode and one of the afterward commands for bounded beheading by the malware:

  • deleteme – Delete the malware from the arrangement application a BAT file
  • download – Download files from a defined alien location
  • rename – Rename files on the adulterated system
  • iamsleep – Instruct the malware to access a abeyant accompaniment for a set period
  • upload – Upload files to the C2 server
  • showurls – No implemented yet

Finally, Cisco's analysts apparent BottomLoader, a malware downloader that fetches and executes payloads from a hardcoded URL application PowerShell while additionally establishing chain from them by modifying the Startup directory.

In addition, BottomLoader offers Lazarus the accommodation to abjure files from the adulterated arrangement to the C2 server, accouterment some operational versatility.

Log4Shell attacks

The attacks empiric by Cisco Talos absorb leveraging Log4Shell, a analytical alien cipher beheading blemish in Log4j, which was apparent and anchored about two years ago yet remains a aegis problem.

The targets are about adverse VMWare Horizon servers, which use a accessible adaptation of the Log4j logging library, acceptance the attackers to accomplish alien cipher execution.

Following the compromise, Lazarus sets up a proxy apparatus for assiduous acceptance on the breached server, runs assay commands, creates new admin accounts, and deploys credential-stealing accoutrement like ProcDump and MimiKatz.

In the additional appearance of the attack, Lazarus deploys the NineRAT on the system, which supports a advanced ambit of commands, as accent in the antecedent section.

Operation Blacksmith advance chainOperation Blacksmith advance chain (Cisco Talos)

Cisco concludes that it's accessible Lazarus feeds added APT (advanced assiduous threat) groups or clusters beneath its awning with abstracts calm by NineRAT.

This acceptance is based on the actuality that NineRAT performs arrangement "re-fingerprinting" in some cases, implying that it could be assuming arrangement IDing and abstracts accumulating for assorted actors.