Malware, Security Architecture

Log4Shell exploited in Lazarus attacks against VMware servers

North Korean state-sponsored hacking operation Lazarus has been targeting VMware Horizon servers in malware attacks exploiting the Log4Shell remote code execution flaw, tracked as CVE-2021-44228, reports BleepingComputer. Vulnerable VMware Horizon servers have been attacked since last month by Lazarus, which has been abusing Log4Shell via the servers' Apache Tomcat service to facilitate PowerShell command execution and eventual NukeSped backdoor installation, a report from AhnLab's ASEC revealed. Researchers found that the C++-based NukeSped backdoor features screenshot capturing, file accessing, and key press recording capabilities, and has been leveraged by Lazarus for deploying a console-based information-stealer malware. The info-stealer has been discovered to have been able to exfiltrate browser-based search histories and account credentials, names of recently used MS Office and Hancom 2010 files, and email account data from MS Office Outlook, Outlook Express, and Windows Live Mail. The report also showed that Log4Shell was also used by Lazarus to distribute the Jin Miner cryptominer instead.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.