North Korea’s Lazarus Group is once again exploiting the notorious two-year-old Log4j vulnerability in a recently discovered global campaign using three previously unknown malware strains.The novel malware being deployed by Lazarus sub-group Andariel includes two remote access trojans (RATs) and a downloader. One of the RATs uses Telegram bots and channels for its command-and-control (C2) communications.The campaign was discovered by Cisco Talos researchers who said in a Dec. 11 research post they observed the advanced persistent threat (APT) group targeting manufacturing, agricultural and physical security companies.“This campaign consists of continued opportunistic targeting of enterprises globally that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation such as CVE-2021-44228 [the Log4j flaw],” the post said.At least one of the attacks involved gaining initial access to an organization by successfully exploiting the Log4j vulnerability on publicly facing VMware Horizon servers.The researchers said while the Log4j vulnerability had been “extensively exploited” by Lazarus in the past, a unique feature of the new campaign, which they dubbed “Operation Blacksmith,” was the use of the D programming language (Dlang) to craft the malware.Dlang is not widely employed by threat groups and the researchers described its use as a “definitive shift in the tactics” used by Lazarus.“Over the past year and a half, Talos has disclosed three different remote access trojans (RATs) built using uncommon technologies in their development, like QtFramework, PowerBasic and, now, Dlang,” the researchers said.
Patch/Configuration Management, Vulnerability Management, Threat Intelligence
Lazarus Group continues to exploit Log4j flaw in latest campaign

North Korea's Lazarus Group's latest campaign uses malware crafted with DLang, but also looks to exploit the Log4j vulnerability. (BirgitKorber/Adobe)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



