State-run threat actor Lazarus rides again, this time exploiting the notorious Log4Shell vulnerability in VMware Horizons servers. In this campaign, adversaries leverage Horizon, targeting the Republic of Korea with a NukeSped backdoor. First documented exploits date back to January 2022, with Lazarus hackers being spotted exploiting Log4Shell in VMware Horizons products since mid-Spring 2022. Almost half a year later, these exploits still remain a burning issue.
Leverage a new Sigma rule by a keen Threat Bounty developer Sohan G, released in the Threat Detection Marketplace repository of SOC Prime’s platform. The rule enables detection of the possible malicious activity associated with NukeSped malware:
The detection is available for the 20 SIEM, EDR & XDR platforms, aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution tactic with Command and Scripting Interpreter (T1059) as the main technique.
The world’s leading Detection as Code platform has aggregated 185K+ detection algorithms and threat hunting queries for multiple security platforms. Hit the View Detections button to browse through a rich library of detection content. Eager to develop your own Sigma rules, increase your threat hunting velocity, and contribute to the global threat hunting initiatives? Join our Threat Bounty Program!
North Korea-sponsored threat actors from Lazarus Group remain active in 2022, continuously widening the scope of their attacks, mostly targeting countries in the Asia-Pacific (APAC) region. This time, adversaries exploit an infamous Log4Shell vulnerability that is affecting Apache Log4j Java logging library, which since December 2021 has been actively abused by multiple threat actors.
The analysis team from the Ahnlab ASEC reported that Lazarus hackers use Vmware Horizon’s Apache Tomcat service to run a PowerShell script exploiting the Log4j. The PowerShell command installs the backdoor on the compromised server, where it is used for cyber espionage, e.g., stealing sensitive data, keyboard capturing, taking screenshots, and fetching malicious payloads to be deployed onto the targeted system, such as console-based information-stealer malware.
The malware variant used in this campaign is C++-written, used by Lazarus since at least 2020. According to the researchers, in this campaign, adversaries sometimes opted for the deployment of Jin Miner, a cryptocurrency miner bot, to target Horizon hosts.