According to a new advisory published by Cisco Talos security researchers earlier today, the attacks leveraged the Log4Shell flaw in publicly facing VMWare Horizon servers for initial access.
Upon successful exploitation, Lazarus conducted extensive reconnaissance, employing various commands to gather system information, query event logs and conduct OS credential dumping.
The attackers deployed a custom-made implant named HazyLoad, acting as a proxy tool to establish direct access to the compromised system.
Notably, Lazarus deviated from previous patterns by creating a local user account with administrative privileges instead of using unauthorized domain-level accounts.
In a significant development, the threat actors also shifted their tactics in the hands-on-keyboard phase by downloading and using credential dumping utilities, including ProcDump and MimiKatz.
The research identified a shift in Lazarus' tactics, as NineRAT is written in DLang, indicating a departure from traditional frameworks.
Cisco Talos also suggested that the data collected by Lazarus via NineRAT may be shared with other Advanced Persistent Threat groups, residing in a separate repository from initial access and implant deployment data.
Full details of the IOCs for this research can also be found in the firm's Github repository.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Mon, 11 Dec 2023 17:00:15 +0000