In recent attacks, North Korean threat group Lazarus targeted the Log4j flaw on publicly facing VMware Horizon servers in order to deploy Dlang-based malware, steal credentials and fingerprint infected systems.
The malicious activity, which was observed between March and September and that researchers with Cisco Talos track under “Operation Blacksmith,” leverages three malware families based in the D programming language: NineRAT, DLRAT and a downloader for deploying additional payloads. The fact that these are Dlang-based indicates a “definitive shift” in Lazarus’ tactics as the threat group continues to rely on non-traditional technologies and frameworks for developing its malware, said researchers.
“NineRAT is written in DLang and indicates a definitive shift in TTPs from APT groups falling under the Lazarus umbrella with the increased adoption of malware being authored using non-traditional frameworks such as the Qt framework, such as MagicRAT and QuiteRAT, also previously attributed to Lazarus by Talos,” according to Jung soo An, Asheer Malhotra and Vitor Ventura, with Cisco Talos in a Monday analysis.
Researchers have observed the malware used in this campaign leveraged in attacks against a South American agricultural organization, a European manufacturing entity and the American subsidiary of a South Korean physical security and surveillance firm over the past year.
NineRAT was first observed as early as March. Once the malware is deployed it accepts commands via a Telegram-based command-and-control (C2) communications channel, and has the capabilities to gather preliminary information about infected systems for reconnaissance or uninstall itself. Lazarus, like other attackers in previous campaigns, are likely using the legitimate Telegram service to evade detection, said researchers.
“The Telegram C2 channels used by the malware led to the discovery of a previously published Telegram bot ‘[at]StudyJ001Bot’ that was leveraged by Lazarus in NineRAT,” said researchers. “Using a publicly accessible Bot may lead to infrastructure hijacking and likely having recognized that, Lazarus started using their own Bots for NineRAT. Interestingly, switching over to their own Telegram C2 channels however did not deter the use of NineRAT samples already built to interact with the open channels and Anadriel has continued to use them well into 2023 even though they first started work on NineRAT in 2022.”
The downloader, meanwhile, is used to deploy additional payloads, including a custom proxy tool called “Hazyload.” The threat group uses these multiple tools - RATs with the additional proxy tool - to maintain persistent access without needing to exploit the Log4j flaw again, so it can continue to issue commands and exfiltrate data. DLRAT, meanwhile, has the ability to perform reconnaissance by gathering preliminary data about the system.
Lazarus, also known as APT38, has been active since 2010 and has conducted espionage, data theft and financially motivated attacks. The group is known for its rapid development of new malware and lately has used the Log4j vulnerability a number of times as a way to get a foothold in targeted organizations.
Earlier this year, researchers found the group targeting a flaw in ManageEngine ServiceDesk in order to hit internet infrastructure and healthcare organizations in the U.S. and UK with two new malware families, and exploiting the Log4j flaw in order to deploy a new, “very simple” malware family with basic functionalities for executing commands and collecting system information.