North Korea-backed group Lazarus has been spotted exploiting the Log4Shell vulnerability and novel malware written in DLang.
Log4Shell is a critical remote code execution vulnerability in Apache Log4j - a popular and widely used Java logging library - that was discovered and privately disclosed in late November, 2021, patched on December 6, and quickly started getting exploited by attackers.
Two years later, 38 percent of applications still use a vulnerable version of Log4j, according to Veracode.
After a successful exploit, the attackers performed extensive reconnaissance and finally OS credential dumping.
Then they deployed HazyLoad - a custom-made proxy tool - to gain continuous access, create a new local user account, and download credential dumping tools, as well as a novel DLang-based remote access trojan called NineRAT, which was first spotted in a campaign in March 2023.
NineRAT uses Telegram for command and control communication, transfering files and evading detection.
It also uses a dropper binary to gain persistence and execute additional binaries.
DLRAT is a RAT and a downloader that allows attackers to perform system reconnaissance, deploy additional malware, fetch C2 commands and execute them on the endpoints.
In the last year and a half, North Korean threat actors have started using uncommon technologies to write malware: DLang, the Qt Framework and PowerBasic.
Talos researchers have found similarities between these and the attacks conducted in October, 2023 by a North Korea-backed hacking group named Onyx Sleet.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Tue, 12 Dec 2023 15:28:04 +0000