North Korean Hackers Utilize Dlang-Based Malware in Targeted Attacks

North Korean hackers have recently been employing Dlang-based malware, a relatively uncommon programming language, for malicious purposes. Lazarus, a North Korea-linked hacking group, has been identified as the culprit behind these attacks. This article delves into the rise of Dlang in malware development and provides an analysis of Lazarus’ three Dlang malware families. It also explores the overlapping activity with another North Korean group, Onyx Sleet (also known as Plutionium and Andariel). Furthermore, the article examines the functionality of each malware family, the exploitation techniques employed by Lazarus, and the implications of these targeted attacks.

Dlang as an Uncommon Programming Language for Malware Development

The adoption of Dlang by malware developers has surged in recent years due to its versatility and easy learning curve. This shift in the choice of programming language needs to be understood in the context of the targeted attacks carried out by North Korean hackers.

The Three Malware Families Built with Dlang by Lazarus

Lazarus has utilized three distinct malware families, namely NineRAT, DLRAT, and BottomLoader, all developed using Dlang. Each family serves its purpose in different stages of the attack process, contributing to the success of Lazarus’ operations. These malware families have been in use by Lazarus since March 2023.

Overlapping Activity with Onyx Sleet (Plutonium and Andariel)

The observed attacks demonstrate an overlap with the activities of Onyx Sleet, another North Korean hacking group also known as Plutonium and Andariel. The connection between Lazarus and Onyx Sleet raises concerns about the coordinated efforts of these groups and their combined capabilities.

Analysis of NineRAT

Introduced around May 2022, NineRAT operates by receiving commands from its command-and-control (C&C) server via Telegram. The use of Telegram allows Lazarus to evade detection and maintain communication with the compromised systems.

Features of BottomLoader

Designed as a downloader, BottomLoader fetches and executes payloads from hardcoded URLs. Notably, it has been observed deploying the custom proxy tool, HazyLoad, in targeted attacks against a European manufacturer and a South Korean physical security and surveillance firm.

Functionality of DLRAT

DLRAT serves a dual purpose as both a downloader and a backdoor. This combination allows Lazarus to establish persistent access to compromised systems and subsequently download additional malware or execute various commands.

Exploitation Techniques Employed by Lazarus

Lazarus has demonstrated proficiency in exploiting known vulnerabilities to gain initial access to target environments. The exploitation of Log4Shell on internet-accessible VMware Horizon servers has been observed, followed by reconnaissance and the deployment of the HazyLoad implant. The group also employs utilities like ProcDump and Mimikatz for credential dumping. Ultimately, the NineRAT backdoor is deployed to gain complete control over the compromised systems.

The use of Dlang-based malware by North Korean hackers, particularly Lazarus, poses a significant threat to organizations in various sectors, including manufacturing, agriculture, and physical security. The overlapping activities between Lazarus and Onyx Sleet highlight the coordinated efforts of these North Korean hacking groups. Continued monitoring and robust cybersecurity measures are crucial to combating these threats and protecting targeted organizations from the evolving tactics and techniques employed by state-sponsored cybercriminals.

Explore more

Ethereum Uses AI Swarms to Proactively Patch Network Flaws

The architectural integrity of global decentralized networks has reached a pivotal juncture where the speed of malicious exploitation often outpaces the traditional cadence of human-led security audits. To address this widening gap, The Ethereum Foundation has fundamentally transitioned its security strategy from a reactive model to an automated, proactive defense paradigm that leverages the power of machine learning. This shift

How Is ERP Modernization Driving DLA to Audit Readiness?

The Defense Logistics Agency currently manages an intricate global supply chain that serves as the backbone for the United States military, requiring an unprecedented level of financial precision and operational transparency to meet modern oversight requirements. This massive undertaking involves a transition from aging, siloed legacy systems to a unified Enterprise Resource Planning environment designed to provide real-time visibility into

What Makes Odyssey Infostealer a Global Threat to macOS?

The long-standing myth that macOS remains immune to sophisticated cyberattacks has been decisively shattered by the emergence of the Odyssey infostealer, a highly specialized malware variant engineered to bypass modern system integrity protections. This transition represents a fundamental shift in the threat landscape, where the historical security-by-obscurity advantage once enjoyed by Apple users has entirely vanished. As the adoption of

Can AI Secure Windows Without Compromising Stability?

The sheer scale of modern software development has reached a point where manual code review is no longer sufficient to protect the billions of devices running Windows across the globe. As lines of code multiply and interdependencies become more complex, traditional security measures are struggling to keep pace with the rapid evolution of sophisticated digital threats. In response to this

Xero Launches JAX to Redefine Accounting with Agentic AI

Small business owners have historically spent an exhausting amount of time tethered to spreadsheets and receipts, but the emergence of agentic AI is finally turning those static records into a living, breathing financial command center that operates with minimal human oversight. With more than five million global subscribers now integrated into its ecosystem, Xero is spearheading a movement toward Accountable