virus logo Threat Signal Report

Lazarus RAT Attack (CVE-2021-44228)

Description

What is the Attack? A new attack campaign led by the Lazarus threat actor group is seen employing new DLang-based Remote Access Trojan (RAT) malware. The attack attempts to exploit the Apache Log4j2 vulnerability (CVE-2021-44228) as initial access. Once compromised, it eventually creates a command and control (C2) channel.
What is the Vendor Solution? Apache has released relevant updates in 2021 on https://logging.apache.org/log4j/2.x/security.html. CISA has provided guidance on mitigating the vulnerability at https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance.
What FortiGuard Coverage is available? FortiGuard Labs has an IPS signature "Apache.Log4j.Error.Log.Remote.Code.Execution" (with default action is set to "block") in place for CVE-2021-44228 and has released Antivirus signatures for the RAT malware related to the Lazarus campaign.
FortiGuard Labs recommends companies to scan their environment, find the versions of open-source vulnerable libraries in use, and develop an upgrade plan for them and always follow best practices.

description-logoOutbreak Alert

A new campaign conducted by the Lazarus Group is seen employing new DLang-based Remote Access Trojans (RATs) malware in the wild. The APT groups has been seen to target manufacturing, agricultural and physical security companies by exploiting the Log4j vulnerability and using it for initial access leading to a C2 (command and control) channel with the attacker.

View the full Outbreak Alert Report

Telemetry

Date Dec 12, 2023
Outbreak Alert Lazarus RAT Attack
CVE ID CVE-2021-44228
Threat/
Vulnerability		 Threat
Threat Actor Type Lazarus
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services
Outbreak Alert Outbreak Alert