Lazarus targeting on VMware – Log4J Vulnerability Still Active

VMware servers are targeted again by the North Korean Hackers called Lazarus. The CVE-2021-44228 is exploited again to bring impact to a variety of products including the VMware Horizon Servers.

VULNERABILITY

The CVE-2021-44228 is an unauthenticated Remote Code Execution vulnerability to inject backdoors that fetch information-stealing payloads on the VMware.

At First, Log4j vulnerability is exploited through VMware Horizon’s Apache Tomcat service to execute a PowerShell command. This PowerShell command will trigger installing the NukeSped backdoor on the server.

NUKESPED

The NukeSped/NukeSpeed is a backdoor malware, with in-memory execution and remote download. This performs various espionage operations in the compromised environment. Espionage operations involve taking screenshots, recording key presses, accessing files, and more.

From the latest variant collected and analyzed, there are two new modules – one for dumping USB contents and the other for accessing web camera devices.

This backdoor malware is used by Lazarus to install an additional console-based information-stealer malware that collects information stored on web browsers.

According to ASEC’s Study, the data given below can be stolen by the info-stealer,

1. Credentials, Browsing history from web browsers,
2. E-mail account details and information, &
3. The recent file names of the Microsoft Office Tools (.xxs,.ppt,.docx – formats) and Hancom 2010.

JIN MINER

Apart from NukeSped, Lazarus was observed to be deploying Jin Miner to access Log4Shell. Jin Miner is a Crypto Miner which is probably used in less critical moments by the threat actors.

From the beginning of this year-2022, Lazarus was found exploiting the Living-Of-the-Land Binaries (LOLBins) in Campaigns targeting Windows and compromise Windows and macOS devices by downloading and running malicious cryptocurrency apps.

INDICATORS OF COMPROMISE