Lazarus Group Targets Log4Shell Flaw Via Telegram Bots

Written by

The threat actor known as Lazarus Group has been observed targeting the Log4Shell vulnerability (CVE-2021-44228) in a new series of attacks dubbed “Operation Blacksmith.”

According to a new advisory published by Cisco Talos security researchers earlier today, the attacks leveraged the Log4Shell flaw in publicly facing VMWare Horizon servers for initial access.

“This campaign consists of continued opportunistic targeting of enterprises around the world that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation such as CVE-2021-44228,” reads the advisory.

“We have observed Lazarus target companies in the manufacturing, agricultural and physical security sectors.”

Lazarus Group's Shifting Tactics and Exploitation Techniques

Upon successful exploitation, Lazarus conducted extensive reconnaissance, employing various commands to gather system information, query event logs and conduct OS credential dumping. 

The attackers deployed a custom-made implant named HazyLoad, acting as a proxy tool to establish direct access to the compromised system. 

Notably, Lazarus deviated from previous patterns by creating a local user account with administrative privileges instead of using unauthorized domain-level accounts.

In a significant development, the threat actors also shifted their tactics in the hands-on-keyboard phase by downloading and using credential dumping utilities, including ProcDump and MimiKatz

The second phase of the operation revealed the deployment of a previously unknown Remote Access Trojan (RAT) dubbed “NineRAT.” Noteworthy is the RAT’s utilization of the Telegram-based C2 channel to receive preliminary commands for fingerprinting infected systems. 

Additionally, the research identified a shift in Lazarus’ tactics, as NineRAT is written in DLang, indicating a departure from traditional frameworks.

“NineRAT also has the capability to uninstall itself from the system using a BAT file,” the company added.

Cisco Talos also suggested that the data collected by Lazarus via NineRAT may be shared with other Advanced Persistent Threat (APT) groups, residing in a separate repository from initial access and implant deployment data.

Full details of the IOCs for this research can also be found in the firm’s Github repository.

Read more on Log4j vulnerabilities: Two-Fifths of Log4j Apps Use Vulnerable Versions

What’s hot on Infosecurity Magazine?