North Korean Lazarus hackers drop new malware developed on Log4j bug

The advice is simple – always apply software updates

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

North Korea’s Lazarus hacking group has been linked with previously undocumented remote access trojans (RATs) and amalwaredownloader that exploit the Log4Shell vulnerability.

Cisco Talosresearchers are credited with discovering the new campaign, which is being dubbed Operation Blacksmith.

The analysts note the use of DLang – a programming language not typically used in attacks which could have helped the group to stay under the radar until now.

Lazarus DLang malware

A description for the vulnerability, which is being tracked asCVE-2021-44228, reads: “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”

The malware consists of a pair of RATs which have been named NineRAT and DLRAT by the cybersecurity group. The former uses Telegram bots and channels as a medium of C2 communications. The third is a downloader, called BottomLoader.

It is believed that NineRAT was developed around May 2023 before being used in Operation Blacksmith later in March 2023 against a South American agricultural organization. It was observed again in September 2023, targeting a European manufacturing entity.

The group, which has been active since around 2010, has a broad range of targets so far, including government, defense, finance, media, healthcare, and critical infrastructure. Talos says that goals vary, and include espionage, data theft, and financial gain to support state objectives.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Operation Blacksmith continues to opportunistically target global enterprises that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation, specifically CVE-2021-44228 (Log4j).

The vulnerability was discovered by a member of the Alibaba Cloud Security Team, and has since been addressed.

If nothing else, Lazarus’ attack highlights the criticality of applying security updates to all Internet-connected devices as a matter of urgency.

More from TechRadar Pro

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Quordle today – hints and answers for Saturday, November 9 (game #1020)