Lazarus Exploits Log4Shell to Deploy Telegram-Based Malware

North Korean hacking group Lazarus Group is exploiting Log4Shell to target manufacturing, agriculture and physical security sectors, resulting in the deployment of a tailored implant on compromised systems.

See Also: JavaScript and Blockchain: Technologies You Can’t Ignore

This attack campaign targeted publicly accessible VMware Horizon servers, leveraging the Log4Shell vulnerability tracked as CVE-2021-44228 for initial access, Cisco Talos researchers found.

The malware campaign, dubbed “Operation Blacksmith,” employs three novel malware families based on the DLang programming language. Two of them function as remote access Trojans, and the other one leverages Telegram bots and channels for command-and-control communications.

The researchers dubbed the Telegram-based RAT “NineRAT” and the non-Telegram variant “DLRAT.” The third component is a DLang-based downloader called “BottomLoader,” designed to retrieve additional payloads in subsequent stages of the operation.

The researchers said the exploit overlaps with Microsoft’s October disclosure, linking the activity to Lazarus Group subgroup Onyx Sleet, also known as Andariel. The subgroup pilfered 1.2 terabytes of data from South Korean entities and extorted approximately $357,000 in bitcoin from three companies (see: North Korean Hackers Steal South Korean Anti-Aircraft Data).

In the current campaign, researchers also observed the use of HazyLoad, a custom-made proxy tool previously only spotted by Microsoft. As of May, Cisco Talos had seen HazyLoad deployed onto a European company and a South Korean physical security and surveillance firm’s American subsidiary.

NineRAT uses Telegram as its command-and-control channel for commands, communication and file transfers. This method, used by Lazarus Group, adds a layer of evasion to network and host-based detection measures by leveraging a legitimate service for communications, the researchers said.

The malware consists of a dropper with three components, including an instrumentor called nsIookup.exe and a persistence mechanism, often used for modular infection chains.

The persistence setup involves a bat script that creates a service for the first component. NineRAT, once activated, becomes the primary interaction method with the infected host, and the older backdoor mechanisms such as HazyLoad persist, giving Lazarus redundant access points.

NineRAT’s interaction with Telegram involves DLang-based libraries that test authentication and enable document upload and download functionalities. Further investigation revealed two additional DLang-based malware families: BottomLoader, a downloader executing payloads from a remote host, and DLRAT, a downloader and RAT for deploying additional malware and executing C2 commands on infected endpoints.

The malware has built-in commands to explore a computer system and starts by running commands to gather initial details about the system, such as the operating system version, the user using the malware, and the MAC address for identifying the system on the network.

After the first set of actions, it creates a file called SynUnst.ini in the same folder. Once it has sent signals to the control server, the RAT shares the collected information and specific session details in a multipart format.

The command-and-control server’s response only includes the external IP address of the infected system. The malware recognizes specific command codes/names from the C2 servers, which trigger corresponding actions on the compromised system.