North Korean Lazarus hackers drop new malware developed on Log4j bug

News
By published

The advice is simple – always apply software updates

A mysterious man holding a keyboard like a weapon
(Image credit: Shutterstock / leolintang)

North Korea’s Lazarus hacking group has been linked with previously undocumented remote access trojans (RATs) and a malware downloader that exploit the Log4Shell vulnerability.

Cisco Talos researchers are credited with discovering the new campaign, which is being dubbed Operation Blacksmith.

The analysts note the use of DLang – a programming language not typically used in attacks which could have helped the group to stay under the radar until now.

Lazarus DLang malware

A description for the vulnerability, which is being tracked as CVE-2021-44228, reads: “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”

The malware consists of a pair of RATs which have been named NineRAT and DLRAT by the cybersecurity group. The former uses Telegram bots and channels as a medium of C2 communications. The third is a downloader, called BottomLoader.

It is believed that NineRAT was developed around May 2023 before being used in Operation Blacksmith later in March 2023 against a South American agricultural organization. It was observed again in September 2023, targeting a European manufacturing entity.

The group, which has been active since around 2010, has a broad range of targets so far, including government, defense, finance, media, healthcare, and critical infrastructure. Talos says that goals vary, and include espionage, data theft, and financial gain to support state objectives.

Operation Blacksmith continues to opportunistically target global enterprises that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation, specifically CVE-2021-44228 (Log4j).

The vulnerability was discovered by a member of the Alibaba Cloud Security Team, and has since been addressed.

If nothing else, Lazarus’ attack highlights the criticality of applying security updates to all Internet-connected devices as a matter of urgency.

More from TechRadar Pro

TOPICS
Craig Hale
Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

Read more
Image depicting a hand on a scanner
New Lazarus Group campaign sees North Korean hackers spreading undetectable malware through GitHub and open source packages
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
North Korean Lazarus hackers launch large-scale cyberattack by cloning open source software
North Korean flag with a hooded hacker
North Korean hackers are posing as software development recruiters to target freelancers
A digital representation of a lock
Looking for a new job? Watch out you don't fall for this new malware scam
Hacker silhouette working on a laptop with North Korean flag on the background
North Korean hackers are targeting LinkedIn jobseekers with new malware - here's how to stay safe
Ransomware
Fortinet firewall bugs are being targeted by LockBit ransomware hackers
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
Zotac Gaming RTX 5090 Graphics Card
Nvidia Blackwell stock woes are compounded by price hikes as more RTX 5090 GPUs soar in pricing, and I’m sick and tired of it all at this point
A collage of Elizabeth Olsen's Scarlet Witch and Tatiana Maslany's She-Hulk
Marvel fans are already tired of Doomsday and Secret Wars cast gossip as two more superheroes get linked with roles in the next two Avengers movies
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
New Call of Duty: Warzone trailer shows a beautiful rebuilt Verdansk, but some fans want more: 'it won't be the same unfortunately'
More about security
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak

A major Keenetic router data leak could put a million households at risk
Hornet swings their weapon in mid air

Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
See more latest
Most Popular
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Sony WF-C710N in blue glass on beige background
Sony WF-C710 earbuds land, and I think they'll be the 2025 budget buds to beat
The RIG M2 Streamstar attached to a boom arm.
The RIG M2 Streamstar has the world's first Bluetooth audio gateway in a wired gaming microphone
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
New Call of Duty: Warzone trailer shows a beautiful rebuilt Verdansk, but some fans want more: 'it won't be the same unfortunately'
Data leak
A major Keenetic router data leak could put a million households at risk
A collage of Elizabeth Olsen's Scarlet Witch and Tatiana Maslany's She-Hulk
Marvel fans are already tired of Doomsday and Secret Wars cast gossip as two more superheroes get linked with roles in the next two Avengers movies
Quordle on a smartphone held in a hand
Quordle hints and answers for Wednesday, March 26 (game #1157)