Summary:
A sophisticated cyber campaign, codenamed Operation Blacksmith, has been identified, showcasing intricate tactics and malware strategies utilized by the Lazarus Group, a prominent entity under the umbrella of North Korea's APT groups. This operation encompasses an array of malicious tools and techniques, highlighting a significant evolution in their methodologies and the emergence of novel malware families, including NineRAT, DLRAT, and BottomLoader.[/subscribe_to_unlock_form]
Summary:
A sophisticated cyber campaign, codenamed Operation Blacksmith, has been identified, showcasing intricate tactics and malware strategies utilized by the Lazarus Group, a prominent entity under the umbrella of North Korea's APT groups. This operation encompasses an array of malicious tools and techniques, highlighting a significant evolution in their methodologies and the emergence of novel malware families, including NineRAT, DLRAT, and BottomLoader.[emaillocker id="1283"]
Operation Blacksmith begins with the exploitation of CVE-2021-44228 (Log4Shell) on exposed VMWare Horizon servers, providing an initial foothold for the Lazarus Group. The campaign unfolds in distinct phases, starting with meticulous reconnaissance activities leveraging a range of commands for system information discovery, event log querying, and user identification. Upon successful infiltration, Lazarus deploys HazyLoad, a custom proxy tool facilitating persistent access, diminishing the reliance on exploiting Log4Shell continually. This is complemented by the creation of new user accounts with administrative privileges, enabling hands-on-keyboard activities.
The deployment of NineRAT marks a pivotal shift in Lazarus's modus operandi. This DLang-based RAT leverages Telegram as a covert command-and-control channel, executing commands for system information retrieval, software discovery, and reconnaissance. The use of Telegram adds a layer of evasion against traditional detection measures. Additionally, Lazarus introduces DLang-based malware families, including DLRAT and BottomLoader. DLRAT functions as a downloader and RAT, executing system reconnaissance commands and establishing communication with its C2 server. BottomLoader, a downloader, fetches and executes remote payloads while exhibiting persistence mechanisms by creating files in the Startup directory.
Operation Blacksmith underscores Lazarus's enhanced sophistication and diversification of tools, demonstrating a proactive adaptation to avoid detection and maintain prolonged access to compromised systems. The use of Telegram as a C2 channel and the development of bespoke DLang-based malware exhibit a calculated effort to evade conventional security measures.
Threat Profile:
References:
The following reports contain further technical details:
[/emaillocker]