Lazarus Group Still Deploys Remote Access Trojans

12325907672?profile=RESIZE_400xThe North Korea-linked threat actor known as the Lazarus Group has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts.  Investigators are tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based malware families, including a RAT called NineRAT that leverages Telegram for command-and-control (C2), DLRAT, and a downloader dubbed BottomLoader.

The researchers described the latest tactics of the adversary as a definitive shift and that they overlap with the cluster widely tracked as Andariel (aka Onyx Sleet or Silent Chollima), a sub-group within the Lazarus umbrella.  Andariel is typically tasked with initial access, reconnaissance and establishing long term access for espionage in support of the North Korean government's national interests.  Attack chains involve the exploitation of CVE-2021-44228 (aka Log4Shell) against publicly-accessible VMWare Horizon servers to deliver NineRAT.  Some of the prominent sectors targeted include manufacturing, agriculture, and physical security.[1]


The abuse of Log4Shell is not surprising given the fact that 2.8 percent of applications are still using vulnerable versions of the library (from 2.0-beta9 through 2.15.0) after two years of public disclosure, according to Veracode, with another 3.8% using Log4j 2.17.0, which, while not vulnerable to CVE-2021-44228, is susceptible to CVE-2021-44832.

NineRAT, first developed during May 2022, is said to have been put to use as early as March 2023 in an attack aimed at a South American agricultural organization, and then again in September 2023 on a European manufacturing entity.  By using a legitimate messaging service like Telegram for C2 communications, the goal is to evade detection.  The malware acts as the primary means of interaction with the infected endpoint, enabling the attackers to send commands to gather system information, upload files of interest, download additional files, and even uninstall and upgrade itself.[2]

"Once NineRAT is activated it accepts preliminary commands from the telegram based C2 channel, to again fingerprint the infected systems.  Re-fingerprinting of infected systems indicates that the data collected by Lazarus via NineRAT may be shared by other APT groups and essentially resides in a different repository from the fingerprint data collected initially by Lazarus during their initial access and implant deployment phase," the researchers noted.

Also used in the attacks after initial reconnaissance is a custom proxy tool called HazyLoad that was previously identified by Microsoft as used by the threat actor as part of intrusions weaponizing critical security flaws in JetBrains TeamCity (CVE-2023-42793, CVSS score: 9.8).  HazyLoad is downloaded and executed by means of another malware called BottomLoader.

Operation Blacksmith has been observed delivering DLRAT, which is both a downloader and a RAT equipped to perform system reconnaissance, deploy additional malware, and retrieve commands from the C2 and execute them in the compromised systems.  DLRAT is another iteration in the Lazarus trend that started with MagicRAT, using exotic/uncommon languages and frameworks, along with modular malware in order to avoid detection.  The multiple tools giving overlapping backdoor entry present Lazarus Group with redundancies in the event a tool is discovered, enabling highly persistent access, the researchers said.

The exploitation of Log4Shell by Andariel is not new, for the hacking crew has used the vulnerability as an initial access vector in the past to deliver a remote access trojan referred to as EarlyRat. The disclosure comes as the AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky's use of AutoIt versions of malware such as Amadey and RftRAT and distributing them via spear-phishing attacks bearing booby-trapped attachments and links in an attempt to bypass security products.

Kimusky, also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima, is an element operating under North Korea's Reconnaissance General Bureau (RGB), which also houses the Lazarus Group.  It was sanctioned by the US Treasury Department on 30 November 2023, for gathering intelligence to support the regime's strategic objectives.  "After taking control of the infected system, to exfiltrate information, the Kimsuky group installs various malware such as keyloggers and tools for extracting accounts and cookies from web browsers," ASEC said in an analysis published recently.

It also follows the discovery of a new Konni-linked phishing campaign that uses a malicious executable file disguised as a Microsoft Word file to deliver a backdoor that "receives obfuscated commands from the threat actor and executes them in XML format."

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Call for assistance.  For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or   


Weekly Cyber Intelligence Briefings:





Weekly Cyber Intelligence Briefings:


REDSHORTS - Weekly Cyber Intelligence Briefings





E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!