An exploit that works cannot be changed. The well-known North Korean hacker group Lazarus has returned to being talked about by exploiting an exploit known for two years, that is CVE-2021-44228known more commonly as Log4j.
Although the vulnerability has been known for some time, cybercriminals have taken a “modern” approach by distributing three families of malware to exploit the exploit. We’re talking about two remote access trojan (RAT) baptized NineRAT e DLRAT and of a downloaderknown as BottomLoader.
The malicious agents in question were created in Dang, a programming language that is not usually used in the context of cybercrime. This type of behavior could be a way for Lazarus to “test” new anti-detection solutions in the context of its many operations.
Just a few days ago the same Microsoft had warned users about the numerous campaigns carried out by the North Korean cybercriminal group.
Log4j again two years later: NineRAT by Lazarus worries the experts
The malware campaign, identified by Cisco Talos, seems to have started last March. According to data collected by experts, Lazarus’ main targets are mainly manufacturing and agricultural companies.
Specifically, the behavior of NineRAT would alarm Cisco Talos researchers. This, in fact, works with a technique known as re-fingerprinting. In fact, it involves identifying the affected system and collecting data, all for future further exploitation of the victim by Lazarus or other affiliated groups.
On the other hand, it is also somewhat surprising that Log4j, two years after its discovery, still offers a crack into which hackers can infiltrate. In 2021 Log4j at almost 5 million attempted attacks (with a high number also recorded in our country), proving to be one of the most fearsome online threats of the entire year.