December 11, 2023 at 01:13PM
Research revealed that Lazarus Group used novel malware strains written in the atypical programming language DLang. The attacks, part of “Operation Blacksmith,” targeted organizations in various industries. This included the use of NineRAT and BottomLoader, with DLang’s usage representing a shift towards newer languages in malware coding, mirroring trends in the broader programming world.
Key takeaways from the meeting notes are as follows:
1. The Lazarus Group has been using Log4Shell to deploy new malware strains written in DLang, an atypical programming language.
2. DLang is classified as a newer memory-safe language endorsed by Western security agencies and also utilized by cyber criminals.
3. Cisco Talos uncovered at least three new DLang-based malware strains used in attacks on organizations in various industries.
4. These attacks are part of “Operation Blacksmith” and are attributed to a group called Andariel, suspected to be a sub-division of the Lazarus Group representing North Korea’s state-sponsored offensive cyber unit.
5. Andariel’s attacks exploit n-day vulnerabilities, such as the critical log4j vulnerability (CVE-2021-44228) and involve the use of malicious tools like NineRAT and BottomLoader.
6. NineRAT utilizes Telegram for C2 infrastructure and was linked to attacker activity after exploiting public-facing VMware Horizon servers with Log4Shell.
7. The group is also responsible for attacks on JetBrains’ TeamCity CI/CD tool and has been involved in both cyber espionage campaigns and ransomware attacks.
8. Researchers noted the rarity of DLang in malware coding and observed a trend towards newer languages and frameworks in the larger programming world.
9. While Rust is the preferred choice due to its memory safety and performance, DLang, along with Go, offer faster compile times, constituting a potential trade-off for developers.