North Korean hackers using Log4J vulnerability in global campaign

Hackers connected to North Korea’s Lazarus Group have been exploiting the Log4j vulnerability in a campaign of attacks targeting companies in the manufacturing, agriculture and physical security sectors.

Known as “Operation Blacksmith,” the campaign saw Lazarus hackers use at least three new malware families, according to researchers at Cisco Talos who named one of the malware families “NineRAT.”

Remote access trojans (RATs) are malware designed to allow an attacker to remotely control an infected computer.

In a blog post, the researchers said they also observed overlaps between Lazarus and another North Korean group – known as Andariel or Onyx Sleet — widely considered to be a subsidiary of Lazarus.

“Operation Blacksmith involved the exploitation of CVE-2021-44228 also known as Log4Shell of vulnerable systems exposed to the Internet, and the use of a previously unknown DLang-based RAT utilizing Telegram as its [command-and-control] channel,” the researchers said.

They found that NineRAT was built in May 2022 and then first used nearly a year later, in March, against a South American agricultural organization. It was then used again in September against a European manufacturer.

Cisco Talos said their research into the campaign confirmed previous reports that when cybersecurity agencies and experts refer to Lazarus Group they are often actually including an umbrella of sub-groups run out of North Korea.

The sub-groups operate “their own campaigns and develop and deploy bespoke malware against their targets, not necessarily working in full coordination.”

The group behind Operation Blacksmith — Andariel — typically focuses its work on initial access, reconnaissance and establishing long-term access for espionage in support of the North Korean government’s national interests.

They noted that Andariel has in the past been seen launching ransomware attacks against healthcare organizations.

Cisco Talos tied Operation Blacksmith to Andariel because of the use of a complex tool called “HazyLoad,” which was found in the compromise of a European company and the American subsidiary of a South Korean physical security and surveillance company in May 2023, according to Cisco Talos.

Andariel is connected to North Korea’s intelligence office, the Reconnaissance General Bureau, which also houses Lazarus Group, according to the FBI.

Andariel was sanctioned in 2019 by the U.S. Treasury, which said the group “consistently executes cybercrime to generate revenue and targets South Korea’s government and infrastructure in order to collect information and to create disorder.”

Telegram’s role

What stood out most from the campaign was the hackers’ use of Telegram as a channel for command-and-control communications. The malware used Telegram as its main channel for “accepting commands, communicating their outputs and even for file transfer, both inbound and outbound.”

“The use of Telegram by Lazarus is likely to evade network and host based detection measures by employing a legitimate service as a channel of C2 communications,” they said.

The researchers explained that NineRAT is built from three separate components. One component will add the other two parts to a device before deleting itself. The other tools allow the hackers to establish persistence on a victim device.

In addition to the HazyLoad backdoor, the NineRAT malware is the main way the hackers communicate with the infected device.

The campaign involved attacks that targeted Log4Shell on public-facing VMWare Horizon servers. The hacker conducted reconnaissance activities after breaching organizations before downloading more malware that allowed them further access into victim organizations.

Cisco Talos said the Lazarus umbrella of APT groups has used Log4Shell to “deploy a multitude of malware, dual-use tools and conduct extensive hands-on-keyboard activity.”

In some instances the hackers created administrator accounts in order to give them greater network access.

Log4Shell continues to cause widespread issues two years after it was discovered on December 9, 2021.

A report from Veracode released last week said more than one-third of applications currently use vulnerable versions of Log4j.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.