One of the most prominent North Korean hacking groups, Lazarus exploited the Log4J RCE vulnerability known as “NukeSped” to inject backdoors aboard VMware Horizon servers to retrieve information stealing payloads.
CVE-2021-44228 (log4Shell) is the CVE ID that has been tracked and identifies this vulnerability, which affects a wide range of products, including the VMware Horizon as well.
It has been claimed by the Cyber Security analysts at Ahnlab’s ASEC that since April 2022 the threat actors behind the Lazarus group have been targeting the vulnerable VMware products through Log4Shell.
In January 2022, it has been found that vulnerabilities exist in Horizon deployments. However, many administrators still have not applied the latest security updates.
Vmware Horizon’s Apache Tomcat service was exploited by the threat actors in order to execute the PowerShell command to exploit the Log4j vulnerability.
It is very likely that by running this PowerShell command, the NukeSped backdoor on the server will be installed.
Backdoor malware such as NukeSped is capable of receiving commands from the C&C server and executing them on the attacker’s behalf. In the summer of 2018, NukeSped was associated with hackers affiliated with the DPRK and was then linked to a 2020 campaign that was staged by Lazarus.
In the latest variant, C++ language is the dialect of choice, and secure communication with C2 is ensured using RC4 encryption. While in its previous version, XOR encryption was used.
Under compromised conditions, NukeSped performs a variety of espionage activities, and here below we have mentioned:-
Currently, there are two modules that are part of the current NukeSped variant, one which dumps contents from USB devices and another which allows you to access web cameras.
There are several types of data that can be stolen by malware, and here they are mentioned below:-
There have been instances where Lazarus can be seen using Jin Miner instead of NukeSped by means of Log4Shell in some attacks.
The recent Lazarus incident is the second known example of a malware campaign using LoLBins in a Windows-targeting campaign. The other was the use of crypto-mining malware on macOS and Windows computers.
To highlight the variety of tactics used by the hacker group for their attacks, on top of them there is the exploitation of Log4Shell.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
We're currently living in an age where digital threats loom large. Among these, ransomware has…
Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…
Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…
An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…
One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…
In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered…