State-backed hackers behind the infamous crypto-stealing group Lazarus are now using the Log4Shell flaw to breach energy firms in North America and Japan for purposes of espionage.
Cisco’s Talos security analysts say Lazarus hackers are exploiting flaws in Log4J — an open-source application logging component — in unpatched internet-facing VMware Horizon servers to gain initial access at energy providers in the US, Canada, and Japan. The North Korea-backed attackers deploy custom malware for long-term espionage.
Lazarus, also tracked as Hidden Cobra and APT38, is known for stealing hundreds of millions in cryptocurrency from crypto firms.
The US Treasury sanctioned Lazarus in 2019 for crypto and banking system heists that it said helped raise revenues to fund North Korea’s nuclear weapons and ballistic missile programs.
Organizations should have patched this flaw months ago. The Cybersecurity and Infrastructure Security Agency (CISA) in September warned organizations to patch VMware Horizon‘s Log4Shell flaws, some nine months after VMware released its Log4Shell patches for Horizon servers.
Hackers at Iran’s Ministry of Intelligence and Security (MOIS), which are tracked as MuddyWater, have also recently been using Log4Shell to compromise organizations in Israel but via unpatched server software from an Israeli vendor that includes Log4J, according to Microsoft.
After Lazarus actors gain access via unpatched VMware Horizon servers, they deploy custom malware implants called VSingle, YamaBot, and a third, previously unseen implant Cisco calls “MagicRAT.” Cisco released details to expose more about the group’s modus operandi. It believes the group is aiming to establish long-term access to gather information of value.
“Cisco Talos identified the exploitation of the Log4Shell vulnerability on VMWare Horizon public-facing servers as the initial attack vector. The compromise is followed by a series of activities to establish a foothold on the systems before the attackers deploy additional malware and move laterally across the network,” Cisco said in a blog post Thursday.
After compromising a VMware Horizon server in a Windows environment, the group would deploy VSingle, establish a reverse shell for issuing arbitrary commands, and disable Microsoft Defender antivirus. Microsoft generally recommends organizations enable tamper protection.
The group also conducts reconnaissance via Windows Active Directory, harvests encrypted credentials, and collects information about the logical drives of infected systems. During this stage, the actors also check if the Remote Desktop Protocol (RDP) port is open.
“During the reconnaissance stage, the attackers specifically check if the RDP port is open. If it is and the attackers decrypt any of the harvested credentials, they would have direct access to the system without the need to install any other backdoor,” Cisco noted.
After activating backdoors and implants on infected systems, the group covers its tracks by deleting files in the infection folder, terminating any active Powershell tasks, removing any accounts it created, and then purging the Windows Event log.
The newly discovered implant MagicRAT is “rather simple” in Cisco’s view in that it connects to the attackers’ command and control (C2) server, gives them a remote shell to execute arbitrary commands, and allows them to rename, move and delete files on a device. It also features a port scanner.
A second known remote access tool, TigerRAT, which connects to the same C2, allows the attackers to enumerate systems and run arbitrary commands including screen captures, key logging, file management, and self-uninstall from systems.