Lazarus Group’s Operation Blacksmith Attacking Organizations Worldwide
The Lazarus Group is a notorious North Korean state-sponsored hacking organization known for:-
Cyber espionage
Financial Theft
Destructive attacks
They have been implicated in high-profile incidents, including the 2014 Sony Pictures hack and the 2017 WannaCry ransomware outbreak.
Cybersecurity researchers at Cisco Talos recently found Lazarus Group’s “Operation Blacksmith” using new DLang-based malware to attack organizations across the globe.
Blacksmith operation exploits Log4Shell (CVE-2021-44228) and deploys a new DLang RAT via Telegram for C2 communication.
Three families were discovered, including:-
Telegram-based RAT “NineRAT”
Non-Telegram RAT “DLRAT”
Downloader “BottomLoader”
Technical analysis
NineRAT operates through Telegram for C2, including commands and file transfers. Lazarus uses Telegram for stealth.
It comprises a dropper with two embedded components:-
An instrumentor (nsIookup.exe)
A second component for persistence (Execute by the first component.)
NineRAT, the main interaction method on infected hosts, coexists with previous tools like HazyLoad for sameness. Lazarus ensures persistent access with overlapping backdoor entries.
Telegram C2 channels led to the discovery of a public bot, “[at]StudyJ001Bot,” which was later replaced by Lazarus-owned bots. Despite the switch, older NineRAT samples still use open channels, reads the report.
Anadriel, active since 2022, employs two API tokens, one publicly listed, interacting with Telegram via DLang-based libraries.
Besides this, the NineRAT tests authentication and handles file upload/download through Telegram methods. Not only that but even from the system using a BAT file, the NineRAT can also uninstall itself.
NineRAT led to the discovery of two more Lazarus DLang-based malware families. BottomLoader, a downloader, downloads payloads via a PowerShell command and creates persistence.
Infection chain (Source – Cisco Talos)
DLRAT, a downloader, and RAT that executes commands, performs system reconnaissance, and communicates with C2 using a hardcoded session ID.
The attack exploits CVE-2021-44228 (Log4Shell) on public-facing VMWare Horizon servers for initial access, deploying a custom implant after reconnaissance.
IOCs
Hashes
HazyLoad
000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee
NineRAT
534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433
ba8cd92cc059232203bcadee260ddbae273fc4c89b18424974955607476982c4
47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30
f91188d23b14526676706a5c9ead05c1a91ea0b9d6ac902623bc565e1c200a59
5b02fc3cfb5d74c09cab724b5b54c53a7c07e5766bffe5b1adf782c9e86a8541
82d4a0fef550af4f01a07041c16d851f262d859a3352475c62630e2c16a21def
BottomLoader
0e416e3cc1673d8fc3e7b2469e491c005152b9328515ea9bbd7cf96f1d23a99f
DLRAT
e615ea30dd37644526060689544c1a1d263b6bb77fe3084aa7883669c1fde12f
9a48357c06758217b3a99cdf4ab83263c04bdea98c347dd14b254cab6c81b13a
Network IOCs
tech[.]micrsofts[.]com
tech[.]micrsofts[.]tech
27[.]102[.]113[.]93
185[.]29[.]8[.]53
155[.]94[.]208[.]209
162[.]19[.]71[.]175
201[.]77[.]179[.]66
hxxp://27[.]102[.]113[.]93/inet[.]txt
hxxp[://]162[.]19[.]71[.]175:7443/sonic/bottom[.]gif
hxxp[://]201[.]77[.]179[.]66:8082/img/lndex[.]php
hxxp[://]201[.]77[.]179[.]66:8082/img/images/header/B691646991EBAEEC[.]gif
hxxp[://]201[.]77[.]179[.]66:8082/img/images/header/7AEBC320998FD5E5[.]gif
The post Lazarus Group’s Operation Blacksmith Attacking Organizations Worldwide appeared first on Cyber Security News.
Cyber Security News