Lazarus Hackers Exploit 2-Year-Old Log4j Vulnerability to Deploy New RAT Malware – Source: heimdalsecurity.com

Researchers warn Lazarus threat actors still exploit known Log4j vulnerability to infect devices with new DLang malware strains.

The new campaign, dubbed Operation Blacksmith, became active on March 23. Hackers target manufacturing, agricultural, and physical security companies that failed to apply existing patches against Log4Shell vulnerability.

More about the new RAT malware

Researchers revealed Lazarus used two new remote access trojans (RATs) named NineRAT and DLRAT for their recent attacks. The attackers also used BottomLoader, which is a malware downloader.

NineRAT

Lazarus’ first novel RAT uses the Telegram API for command and control communications. It features a dropper for persistence and executing main binaries. Additionally, it supports various commands via Telegram for:

• collecting and exfiltrating system data
• setting token values
• upgrading to new versions
• controlling malware activity intervals
• self-uninstallation

DLRAT

The second Lazarus RAT works as both a trojan and a downloader. It starts by collecting and sending system information to its C&C server.

The server responds with the victim’s external IP address and commands for local execution, enabling:

• file manipulation
• downloading additional payloads
• entering a dormant state

BottomLoader

Is a downloader that uses PowerShell to fetch and run payloads from a hardcoded URL. It modifies the Startup directory for persistence.

Further on it enhances Lazarus’s capabilities for data exfiltration and system control.

Why is Log4j still a danger to companies?

The Log4Shell vulnerability, tracked CVE-2021-44228, is a critical security flaw in Apache Log4j, a widely used logging utility in Java applications.

Although patches are available since 2021, the Log4j vulnerability is still a threat to companies. So, why are there still companies that didn’t apply updates to mitigate Log4Shell?

Complex and large IT infrastructures

Patching IT systems running numerous applications that use different versions of Log4j is challenging.

In complex environments that use a variety of OS-es and devices, tracking and updating all instances of the vulnerable library is a time-consuming task.

Third-party software

For companies that use third-party applications that incorporate Log4j the job is even harder. They must rely on these third-party vendors to release patches.

Legacy systems and compatibility issues

Older systems that are still in use are not always compatible with the updated, patched versions of Log4j. Updating these systems could lead to breaking critical functionalities.

Limited resources and awareness

Smaller or limited IT security resources companies don’t have the capacity or expertise to quickly identify and mitigate the vulnerability. Log4shell did get a lot of publicity.

However, some might still not acknowledge how seriously this vulnerability could impact their business.

How to prevent infection with the new Lazarus RAT malware?

The answer is apply available updates. But, as seen above, this can be a real challenge for complex IT environments.

The safest and fastest way to keep all the software on all devices up to date is using an automated patch management solution.

Best patch management tools:

• keep devices and software inventory up to date

• constantly scan for vulnerabilities

• assess known vulnerabilities to prioritise the critical ones

• keep track of available patches

• can easily be configured to deploy updates at the most convenient schedule for your organization.

Follow the patch management best practices to close critical vulnerabilities in your organization and keep safe from Log4j exploits.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.