Contents:
Researchers warn Lazarus threat actors still exploit known Log4j vulnerability to infect devices with new DLang malware strains.
The new campaign, dubbed Operation Blacksmith, became active on March 23. Hackers target manufacturing, agricultural, and physical security companies that failed to apply existing patches against Log4Shell vulnerability.
More about the new RAT malware
Researchers revealed Lazarus used two new remote access trojans (RATs) named NineRAT and DLRAT for their recent attacks. The attackers also used BottomLoader, which is a malware downloader.
NineRAT
Lazarus’ first novel RAT uses the Telegram API for command and control communications. It features a dropper for persistence and executing main binaries. Additionally, it supports various commands via Telegram for:
- collecting and exfiltrating system data
- setting token values
- upgrading to new versions
- controlling malware activity intervals
- self-uninstallation
DLRAT
The second Lazarus RAT works as both a trojan and a downloader. It starts by collecting and sending system information to its C&C server.
The server responds with the victim’s external IP address and commands for local execution, enabling:
- file manipulation
- downloading additional payloads
- entering a dormant state
BottomLoader
Is a downloader that uses PowerShell to fetch and run payloads from a hardcoded URL. It modifies the Startup directory for persistence.
Further on it enhances Lazarus’s capabilities for data exfiltration and system control.
Why is Log4j still a danger to companies?
The Log4Shell vulnerability, tracked CVE-2021-44228, is a critical security flaw in Apache Log4j, a widely used logging utility in Java applications.
Although patches are available since 2021, the Log4j vulnerability is still a threat to companies. So, why are there still companies that didn’t apply updates to mitigate Log4Shell?
Complex and large IT infrastructures
Patching IT systems running numerous applications that use different versions of Log4j is challenging.
In complex environments that use a variety of OS-es and devices, tracking and updating all instances of the vulnerable library is a time-consuming task.
Third-party software
For companies that use third-party applications that incorporate Log4j the job is even harder. They must rely on these third-party vendors to release patches.
Legacy systems and compatibility issues
Older systems that are still in use are not always compatible with the updated, patched versions of Log4j. Updating these systems could lead to breaking critical functionalities.
Limited resources and awareness
Smaller or limited IT security resources companies don’t have the capacity or expertise to quickly identify and mitigate the vulnerability. Log4shell did get a lot of publicity.
However, some might still not acknowledge how seriously this vulnerability could impact their business.
How to prevent infection with the new Lazarus RAT malware?
The answer is apply available updates. But, as seen above, this can be a real challenge for complex IT environments.
The safest and fastest way to keep all the software on all devices up to date is using an automated patch management solution.
Best patch management tools:
- keep devices and software inventory up to date
- constantly scan for vulnerabilities
- keep track of available patches
- can easily be configured to deploy updates at the most convenient schedule for your organization.
Follow the patch management best practices to close critical vulnerabilities in your organization and keep safe from Log4j exploits.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
Heimdal® Patch & Asset Management Software
- Schedule updates at your convenience;
- See any software assets in inventory;
- Global deployment and LAN P2P;
- And much more than we can fit in here...