North Korean Lazarus hackers drop new malware developed on Log4j bug

A mysterious man holding a keyboard like a weapon
(Image credit: Shutterstock / leolintang)

North Korea’s Lazarus hacking group has been linked with previously undocumented remote access trojans (RATs) and a malware downloader that exploit the Log4Shell vulnerability.

Cisco Talos researchers are credited with discovering the new campaign, which is being dubbed Operation Blacksmith.

The analysts note the use of DLang – a programming language not typically used in attacks which could have helped the group to stay under the radar until now.

Lazarus DLang malware

A description for the vulnerability, which is being tracked as CVE-2021-44228, reads: “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”

The malware consists of a pair of RATs which have been named NineRAT and DLRAT by the cybersecurity group. The former uses Telegram bots and channels as a medium of C2 communications. The third is a downloader, called BottomLoader.

It is believed that NineRAT was developed around May 2023 before being used in Operation Blacksmith later in March 2023 against a South American agricultural organization. It was observed again in September 2023, targeting a European manufacturing entity.

The group, which has been active since around 2010, has a broad range of targets so far, including government, defense, finance, media, healthcare, and critical infrastructure. Talos says that goals vary, and include espionage, data theft, and financial gain to support state objectives.

Operation Blacksmith continues to opportunistically target global enterprises that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation, specifically CVE-2021-44228 (Log4j).

The vulnerability was discovered by a member of the Alibaba Cloud Security Team, and has since been addressed.

If nothing else, Lazarus’ attack highlights the criticality of applying security updates to all Internet-connected devices as a matter of urgency.

More from TechRadar Pro

Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!