One of the most prominent North Korean hacking groups, Lazarus exploited the Log4J RCE vulnerability known as “NukeSped” to inject backdoors aboard VMware Horizon servers to retrieve information stealing payloads.
CVE-2021-44228 (log4Shell) is the CVE ID that has been tracked and identifies this vulnerability, which affects a wide range of products, including the VMware Horizon as well.
It has been claimed by the Cyber Security analysts at Ahnlab’s ASEC that since April 2022 the threat actors behind the Lazarus group have been targeting the vulnerable VMware products through Log4Shell.
In January 2022, it has been found that vulnerabilities exist in Horizon deployments. However, many administrators still have not applied the latest security updates.
VMware Horizon Servers Were Targeted
Vmware Horizon’s Apache Tomcat service was exploited by the threat actors in order to execute the PowerShell command to exploit the Log4j vulnerability.
It is very likely that by running this PowerShell command, the NukeSped backdoor on the server will be installed.
Backdoor malware such as NukeSped is capable of receiving commands from the C&C server and executing them on the attacker’s behalf. In the summer of 2018, NukeSped was associated with hackers affiliated with the DPRK and was then linked to a 2020 campaign that was staged by Lazarus.
In the latest variant, C++ language is the dialect of choice, and secure communication with C2 is ensured using RC4 encryption. While in its previous version, XOR encryption was used.
Under compromised conditions, NukeSped performs a variety of espionage activities, and here below we have mentioned:-
- Taking screenshots
- Recording key presses
- Accessing files
- Support for command-line commands
Currently, there are two modules that are part of the current NukeSped variant, one which dumps contents from USB devices and another which allows you to access web cameras.
There are several types of data that can be stolen by malware, and here they are mentioned below:-
- Account credentials
- Browsing history
- Email account information
- Names of recently used files from MS Office
There have been instances where Lazarus can be seen using Jin Miner instead of NukeSped by means of Log4Shell in some attacks.
The recent Lazarus incident is the second known example of a malware campaign using LoLBins in a Windows-targeting campaign. The other was the use of crypto-mining malware on macOS and Windows computers.
To highlight the variety of tactics used by the hacker group for their attacks, on top of them there is the exploitation of Log4Shell.