Since the start of the year, Lazarus was spotted using LoLBins in Windows-targeting campaigns and malicious cryptocurrency apps to compromise Windows and macOS computers. Since Jin Miner is a cryptocurrency miner, Lazarus probably used it on less critical systems targeted for monetary gains instead of cyber-espionage. In some attacks, Lazarus was observed deploying Jin Miner instead of NukeSped by leveraging Log4Shell. Names of recently used files from MS Office (PowerPoint, Excel, and Word) and Hancom 2010.
Email account information stored in Outlook Express, MS Office Outlook, and Windows Live Mail. Account credentials and browsing history stored in Google Chrome, Mozilla Firefox, Internet Explorer, Opera, and Naver Whale. More specifically, the malware analyzed by ASEC can steal the following data:
Lazarus uses NukeSped to install an additional console-based information-stealer malware, which collects information stored on web browsers. Two new modules seen in the current NukeSped variant are one for dumping USB contents and one for accessing web camera devices. Moreover, NukeSped supports command line commands. NukeSped performs various espionage operations in the compromised environment, such as taking screenshots, recording key presses, accessing files, etc. The latest variant sampled and analyzed by ASEC is written in C++ and uses RC4 encryption for communicating securely with the C2 infrastructure.
NukeSped (or NukeSpeed) is a backdoor malware first associated with DPRK hackers in the summer of 2018 and then linked to a 2020 campaign orchestrated by Lazarus. This PowerShell command will ultimately lead to installing the NukeSped backdoor on the server. To start the attack, the threat actors exploit the Log4j vulnerability through Vmware Horizons Apache Tomcat service to execute a PowerShell command. The exploitation of vulnerable Horizon deployments started in January 2022, but many admins are yet to apply the available security updates.Īccording to a report published by analysts at Ahnlabs ASEC, Lazarus has been targeting vulnerable VMware products via Log4Shell since April 2022.
The vulnerability is tracked as CVE-2021-44228, aka Log4Shell, and impacts many products, including VMware Horizon. The North Korean hacking group known as Lazarus is exploiting the Log4J remote code execution vulnerability to inject backdoors that fetch information-stealing payloads on VMware Horizon servers.
0 kommentar(er)
