Lazarus Abuses Log4Shell to Target VMware Servers

Attack on VMware

• The attackers exploit the Log4j vulnerability, CVE-2021-44228, via Vmware Horizon’s Apache Tomcat service to run a PowerShell command. This command eventually installs the NukeSped backdoor.
• NukeSped performs espionage operations in the targeted environment, such as recording key presses, accessing files, and taking screenshots. Additionally, it supports command line commands for additional activities.
• In some attacks, Lazarus deployed Jin Miner instead of NukeSped. Jin Miner is a cryptocurrency miner, which can be used on less critical systems for monetary gains instead of espionage.

Understanding NukeSped and its capabilities

• It is used to install an additional console-based stealer malware that collects information saved on web browsers, including Internet Explorer, Google Chrome, Opera, Mozilla Firefox, and Naver Whale.
• Further, it steals account credentials, email account information, and recently used files from Hancom 2010 and MS Office.
• Two new modules have been spotted in the recent NukeSped malware variant. One is for dumping USB contents and the other for accessing web camera devices.

Conclusion