Agriculture, manufacturing, and critical infrastructure are the main targets of North Korean hackers.
Hackers linked to North Korea and known as the Lazarus Group are once again on the radar of security researchers. This is all the fault of a new malicious campaign on a global scale, which was organized by these cybercriminals.
The campaign includes exploiting a vulnerability in the Log4j library, which we published disappointing security statistics earlier. The Log4Shell bug ( CVE-2021-44228) is now being used by hackers to deploy Remote access Trojans (rats) on compromised hosts.
Cisco Talos track this activity under the name "Operation Blacksmith", noting the use of three families of Dlang-based malware by cyber villains at once.
Experts describe the latest Lazarus tactics as a definite shift, clearly overlapping with the activities of the Andariel group (also known as Onyx Sleet or Silent Chollima), which is a subgroup of Lazarus.
"Andariel typically engages in initial access, intelligence, and establishing long-term access for espionage on behalf of the North Korean government," according to a technical report by Talos researchers.
Attack chains include the use of CVE-2021-44228 against publicly available VMware Horizon servers to deliver NineRAT. The main industries targeted include manufacturing, agriculture, and physical security.
The use of Log4Shell is not surprising, given that 2.8% of applications still use vulnerable versions of the library two years after the patch was released.
NineRAT, developed in May 2022, was first used in March 2023 in an attack on an agricultural organization in South America. The malware was then applied again in September 2023 to a European manufacturing company. Hackers reportedly used Telegram as a channel for sending malicious commands to evade detection.
The malware acts as the primary means of interacting with an infected endpoint, allowing attackers to send commands to gather information about the system, upload files, download additional files, and even delete and update itself.
"As soon as NineRAT is activated, it accepts initial commands from the C2 channel in Telegram to collect digital fingerprints of infected systems again," the researchers note.
Also seen in the attacks was a special proxy tool called HazyLoad, previously identified by Microsoft as being used by Lazarus as part of its intrusions exploiting critical vulnerabilities in JetBrains TeamCity. HazyLoad is loaded and executed using another malware called BottomLoader.
In addition, Operation Blacksmith sees the delivery of the DLRAT malware, which is both a loader and a remote access Trojan that can conduct system intelligence, deploy additional malware, and receive commands from the C2 server.
The considered malicious campaign clearly demonstrates how dangerous it is to ignore vulnerabilities in software. Although the patch for Log4Shell was released two years ago, hackers still use it to break into the network, because the developers did not consider it necessary to update the library in the developed products in time.
Companies should regularly update their software and carefully monitor new threats. It is also important to use modern security tools, such as antivirus programs and intrusion detection systems. Security of any modern company should be at the forefront.
Hackers linked to North Korea and known as the Lazarus Group are once again on the radar of security researchers. This is all the fault of a new malicious campaign on a global scale, which was organized by these cybercriminals.
The campaign includes exploiting a vulnerability in the Log4j library, which we published disappointing security statistics earlier. The Log4Shell bug ( CVE-2021-44228) is now being used by hackers to deploy Remote access Trojans (rats) on compromised hosts.
Cisco Talos track this activity under the name "Operation Blacksmith", noting the use of three families of Dlang-based malware by cyber villains at once.
Experts describe the latest Lazarus tactics as a definite shift, clearly overlapping with the activities of the Andariel group (also known as Onyx Sleet or Silent Chollima), which is a subgroup of Lazarus.
"Andariel typically engages in initial access, intelligence, and establishing long-term access for espionage on behalf of the North Korean government," according to a technical report by Talos researchers.
Attack chains include the use of CVE-2021-44228 against publicly available VMware Horizon servers to deliver NineRAT. The main industries targeted include manufacturing, agriculture, and physical security.
The use of Log4Shell is not surprising, given that 2.8% of applications still use vulnerable versions of the library two years after the patch was released.
NineRAT, developed in May 2022, was first used in March 2023 in an attack on an agricultural organization in South America. The malware was then applied again in September 2023 to a European manufacturing company. Hackers reportedly used Telegram as a channel for sending malicious commands to evade detection.
The malware acts as the primary means of interacting with an infected endpoint, allowing attackers to send commands to gather information about the system, upload files, download additional files, and even delete and update itself.
"As soon as NineRAT is activated, it accepts initial commands from the C2 channel in Telegram to collect digital fingerprints of infected systems again," the researchers note.
Also seen in the attacks was a special proxy tool called HazyLoad, previously identified by Microsoft as being used by Lazarus as part of its intrusions exploiting critical vulnerabilities in JetBrains TeamCity. HazyLoad is loaded and executed using another malware called BottomLoader.
In addition, Operation Blacksmith sees the delivery of the DLRAT malware, which is both a loader and a remote access Trojan that can conduct system intelligence, deploy additional malware, and receive commands from the C2 server.
The considered malicious campaign clearly demonstrates how dangerous it is to ignore vulnerabilities in software. Although the patch for Log4Shell was released two years ago, hackers still use it to break into the network, because the developers did not consider it necessary to update the library in the developed products in time.
Companies should regularly update their software and carefully monitor new threats. It is also important to use modern security tools, such as antivirus programs and intrusion detection systems. Security of any modern company should be at the forefront.
