Cisco's Talos security researchers report that the North Korea-linked hacking group Lazarus has been observed deploying Dlang malware in attacks against organizations in the manufacturing, agriculture, and physical security sectors. Released in 2001, Dlang, or simply D, is a multi-paradigm system programming language built upon the idea of C++ but drawing inspiration from C#, Eiffel, Java, Python, Ruby, and other high-level languages. Dlang is considered an uncommon programming language for malware development but has attracted malware developers, likely due to its versatility and easy learning curve. Dlang allows developers to cross-compile applications for multiple architectures.[1]
Since March 2023, Lazarus, an advanced persistent threat (APT) actor sponsored by the North Korean government, has been observed using three malware families built using Dlang, namely the NineRAT and DLRAT remote access trojans (RATs) and the BottomLoader downloader.
See: https://redskyalliance.org/xindustry/lazarus-group-still-deploys-remote-access-trojans
The malware families were used as part of Operation Blacksmith, in which Lazarus targeted systems unpatched against the infamous Log4Shell vulnerability (CVE-2021-44228) to deploy NineRAT against a South American agricultural organization and a European manufacturing business. The observed attacks overlap with activity attributed to Onyx Sleet, a North Korean group known as Plutonium and Andariel. However, a common consensus across the cybersecurity industry is that North Korean state-sponsored hackers operate under the Lazarus umbrella.
NineRAT, in use since May 2022 uses Telegram for receiving commands from its command-and-control (C&C) server, likely to evade detection. After deployment, the RAT achieves persistence and becomes the main method of interaction with the infected host. The malware can harvest system information, upgrade to a new version, stop its execution, uninstall, and upload files from the infected machine.
The BottomLoader downloader can obtain and execute a payload from a hardcoded URL and has been observed deploying the custom proxy tool HazyLoad against a European manufacturer and a South Korean physical security and surveillance firm. It was also designed to achieve persistence for newer versions or its dropped payloads by creating a URL file in the system’s Startup directory.
Lazarus’ third Dlang malware family is DLRAT, which functions as a downloader and backdoor. It includes hardcoded commands for system reconnaissance but can also execute commands to download and upload files, rename files, and delete itself from the machine.
As part of Operation Blacksmith, Lazarus was seen exploiting Log4Shell on internet-accessible VMware Horizon servers for initial access, followed by reconnaissance and the deployment of the HazyLoad implant. In some cases, a new user account was created for persistent access to the system. Lazarus also employed utilities such as ProcDump and MimiKatz for credential dumping, then deployed the NineRAT backdoor to the system.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.securityweek.com/north-korean-hackers-developing-malware-in-dlang-programming-language/
Comments