Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Craig Hale

North Korean Lazarus hackers drop new malware developed on Log4j bug

A mysterious man holding a keyboard like a weapon.

North Korea’s Lazarus hacking group has been linked with previously undocumented remote access trojans (RATs) and a malware downloader that exploit the Log4Shell vulnerability.

Cisco Talos researchers are credited with discovering the new campaign, which is being dubbed Operation Blacksmith.

The analysts note the use of DLang – a programming language not typically used in attacks which could have helped the group to stay under the radar until now.

Lazarus DLang malware

A description for the vulnerability, which is being tracked as CVE-2021-44228, reads: “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”

The malware consists of a pair of RATs which have been named NineRAT and DLRAT by the cybersecurity group. The former uses Telegram bots and channels as a medium of C2 communications. The third is a downloader, called BottomLoader.

It is believed that NineRAT was developed around May 2023 before being used in Operation Blacksmith later in March 2023 against a South American agricultural organization. It was observed again in September 2023, targeting a European manufacturing entity.

The group, which has been active since around 2010, has a broad range of targets so far, including government, defense, finance, media, healthcare, and critical infrastructure. Talos says that goals vary, and include espionage, data theft, and financial gain to support state objectives.

Operation Blacksmith continues to opportunistically target global enterprises that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation, specifically CVE-2021-44228 (Log4j).

The vulnerability was discovered by a member of the Alibaba Cloud Security Team, and has since been addressed.

If nothing else, Lazarus’ attack highlights the criticality of applying security updates to all Internet-connected devices as a matter of urgency.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.