The hacker group, known as Lazarus, is linked to a global campaign. It involves an old security flaw found in Log4j to deploy previously unknown remote access trojans (RATs) on compromised hosts. To learn more and limit the impact of this malware, please review this Cybersecurity Threat Advisory.
What is the threat?
The new malware involves two RATs that go by the names NineRAT and DLRAT, and a downloader malware known as BottomLoader. NineRAT has been reported to leverage Telegram for command-and-control (C2) privileges, with DLRAT being equipped to perform system reconnaissance, deploy malware, and retrieve C2 commands and execute them on compromised systems. BottomLoader is a downloader that has the ability to fetch and execute payloads from a hardcoded URL while establishing persistence by modifying the startup directory.
Why is it noteworthy?
The malware is part of a global campaign which started in March 2023, dubbed “Operation Blacksmith”, which targets companies involved in manufacturing, agriculture, and physical security. The first of the malware, NineRAT, supports commands such as “info,” to gather preliminary information about the system; “setmtoken”, which sets a token value; “setbtoken”, which sets a new bot token, and others. The second malware, DLRAT, supports commands including “deleteme”, which deletes malware from the system using a BAT file; “rename,” which renames files on the infected system; and “iamsleep”, which instructs malware to enter a dormant state for a specific period of time.
What is the exposure or risk?
The attacks that have been observed involve leveraging Log4Shell. This is a critical remote code execution flaw discovered on Log4j two years ago. Despite being patched, the flaw remains a serious security problem. They target publicly facing VMWare Horizon servers with the vulnerable Log4j version in order to perform remote executions.
What are the recommendations?
- Elevate employee awareness of phishing for large organizations through routine and thorough training.
- Maintain up-to-date patch management consistently.
- Install security software from trusted sources.
- Deploy intrusion detection tools to automate removal processes effectively.