North Korean Hackers Utilize Dlang-Based Malware in Targeted Attacks

North Korean hackers have recently been employing Dlang-based malware, a relatively uncommon programming language, for malicious purposes. Lazarus, a North Korea-linked hacking group, has been identified as the culprit behind these attacks. This article delves into the rise of Dlang in malware development and provides an analysis of Lazarus’ three Dlang malware families. It also explores the overlapping activity with another North Korean group, Onyx Sleet (also known as Plutionium and Andariel). Furthermore, the article examines the functionality of each malware family, the exploitation techniques employed by Lazarus, and the implications of these targeted attacks.

Dlang as an Uncommon Programming Language for Malware Development

The adoption of Dlang by malware developers has surged in recent years due to its versatility and easy learning curve. This shift in the choice of programming language needs to be understood in the context of the targeted attacks carried out by North Korean hackers.

The Three Malware Families Built with Dlang by Lazarus

Lazarus has utilized three distinct malware families, namely NineRAT, DLRAT, and BottomLoader, all developed using Dlang. Each family serves its purpose in different stages of the attack process, contributing to the success of Lazarus’ operations. These malware families have been in use by Lazarus since March 2023.

Overlapping Activity with Onyx Sleet (Plutonium and Andariel)

The observed attacks demonstrate an overlap with the activities of Onyx Sleet, another North Korean hacking group also known as Plutonium and Andariel. The connection between Lazarus and Onyx Sleet raises concerns about the coordinated efforts of these groups and their combined capabilities.

Analysis of NineRAT

Introduced around May 2022, NineRAT operates by receiving commands from its command-and-control (C&C) server via Telegram. The use of Telegram allows Lazarus to evade detection and maintain communication with the compromised systems.

Features of BottomLoader

Designed as a downloader, BottomLoader fetches and executes payloads from hardcoded URLs. Notably, it has been observed deploying the custom proxy tool, HazyLoad, in targeted attacks against a European manufacturer and a South Korean physical security and surveillance firm.

Functionality of DLRAT

DLRAT serves a dual purpose as both a downloader and a backdoor. This combination allows Lazarus to establish persistent access to compromised systems and subsequently download additional malware or execute various commands.

Exploitation Techniques Employed by Lazarus

Lazarus has demonstrated proficiency in exploiting known vulnerabilities to gain initial access to target environments. The exploitation of Log4Shell on internet-accessible VMware Horizon servers has been observed, followed by reconnaissance and the deployment of the HazyLoad implant. The group also employs utilities like ProcDump and Mimikatz for credential dumping. Ultimately, the NineRAT backdoor is deployed to gain complete control over the compromised systems.

The use of Dlang-based malware by North Korean hackers, particularly Lazarus, poses a significant threat to organizations in various sectors, including manufacturing, agriculture, and physical security. The overlapping activities between Lazarus and Onyx Sleet highlight the coordinated efforts of these North Korean hacking groups. Continued monitoring and robust cybersecurity measures are crucial to combating these threats and protecting targeted organizations from the evolving tactics and techniques employed by state-sponsored cybercriminals.

Explore more

How Can SMBs Leverage Surging Embedded Finance Trends?

Setting the Stage: The Embedded Finance Revolution Imagine a small e-commerce business owner finalizing a sale and, with a single click, securing instant working capital to restock inventory—all without leaving their sales platform. This seamless integration of financial services into everyday business tools is no longer a distant vision but a defining reality of the current market, known as embedded

How Do Key Deliverables Drive Digital Transformation Success?

In an era where technology evolves at breakneck speed, digital transformation has become a cornerstone for organizations aiming to redefine how they create and deliver value through innovations like artificial intelligence, predictive analytics, and robotic process automation. However, the path to achieving such transformation is fraught with obstacles—complex systems, resistant workflows, and unforeseen risks often stand in the way of

How Will CCaaS and CRM Integrations Shape Future CX Trends?

In the rapidly shifting world of business, customer experience (CX) has become the cornerstone of competitive advantage, pushing companies to seek innovative ways to connect with their audiences. As organizations strive to deliver interactions that are not only seamless but also deeply personalized, the integration of Contact Center as a Service (CCaaS) and Customer Relationship Management (CRM) systems has emerged

Trend Analysis: AI Code Generation Breakthroughs

Introduction Imagine a world where software developers can generate thousands of lines of code in mere seconds, seamlessly aligning with their thought processes without a hint of delay. This is no longer a distant vision but a reality in 2025, as AI code generation has achieved staggering speeds of 2,000 tokens per second, revolutionizing the landscape of software development. This

What Is Vibe Coding and Its Impact on Enterprise Tech?

Introduction Imagine a world where software prototypes are built in mere hours, powered by artificial intelligence that writes code faster than any human could dream of typing, transforming the enterprise tech landscape. This isn’t a distant fantasy but a reality in today’s world, driven by an emerging practice known as vibe coding. This approach, centered on speed and experimentation, is