North Korean Lazarus hackers drop new malware developed on Log4j bug

The analysts note the use of DLang – a programming language not typically used in attacks which could have helped the group to stay under the radar until now.

Lazarus DLang malware

A description for the vulnerability, which is being tracked as CVE-2021-44228, reads: “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”

The malware consists of a pair of RATs which have been named NineRAT and DLRAT by the cybersecurity group. The former uses Telegram bots and channels as a medium of C2 communications. The third is a downloader, called BottomLoader.

It is believed that NineRAT was developed around May 2023 before being used in Operation Blacksmith later in March 2023 against a South American agricultural organization. It was observed again in September 2023, targeting a European manufacturing entity.

The group, which has been active since around 2010, has a broad range of targets so far, including government, defense, finance, media, healthcare, and critical infrastructure. Talos says that goals vary, and include espionage, data theft, and financial gain to support state objectives.

Operation Blacksmith continues to opportunistically target global enterprises that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation, specifically CVE-2021-44228 (Log4j).

The vulnerability was discovered by a member of the Alibaba Cloud Security Team, and has since been addressed.

If nothing else, Lazarus’ attack highlights the criticality of applying security updates to all Internet-connected devices as a matter of urgency.

More from TechRadar Pro

• Boost your cybersecurity with the best firewalls
• Protect your device by installing the best endpoint protection
• North Korea has got its hands on AI - and is testing its ability to commit cyberwarfare