North Korean hackers have recently been employing Dlang-based malware, a relatively uncommon programming language, for malicious purposes. Lazarus, a North Korea-linked hacking group, has been identified as the culprit behind these attacks. This article delves into the rise of Dlang in malware development and provides an analysis of Lazarus’ three Dlang malware families. It also explores the overlapping activity with another North Korean group, Onyx Sleet (also known as Plutionium and Andariel). Furthermore, the article examines the functionality of each malware family, the exploitation techniques employed by Lazarus, and the implications of these targeted attacks.
Dlang as an Uncommon Programming Language for Malware Development
The adoption of Dlang by malware developers has surged in recent years due to its versatility and easy learning curve. This shift in the choice of programming language needs to be understood in the context of the targeted attacks carried out by North Korean hackers.
The Three Malware Families Built with Dlang by Lazarus
Lazarus has utilized three distinct malware families, namely NineRAT, DLRAT, and BottomLoader, all developed using Dlang. Each family serves its purpose in different stages of the attack process, contributing to the success of Lazarus’ operations. These malware families have been in use by Lazarus since March 2023.
Overlapping Activity with Onyx Sleet (Plutonium and Andariel)
The observed attacks demonstrate an overlap with the activities of Onyx Sleet, another North Korean hacking group also known as Plutonium and Andariel. The connection between Lazarus and Onyx Sleet raises concerns about the coordinated efforts of these groups and their combined capabilities.
Analysis of NineRAT
Introduced around May 2022, NineRAT operates by receiving commands from its command-and-control (C&C) server via Telegram. The use of Telegram allows Lazarus to evade detection and maintain communication with the compromised systems.
Features of BottomLoader
Designed as a downloader, BottomLoader fetches and executes payloads from hardcoded URLs. Notably, it has been observed deploying the custom proxy tool, HazyLoad, in targeted attacks against a European manufacturer and a South Korean physical security and surveillance firm.
Functionality of DLRAT
DLRAT serves a dual purpose as both a downloader and a backdoor. This combination allows Lazarus to establish persistent access to compromised systems and subsequently download additional malware or execute various commands.
Exploitation Techniques Employed by Lazarus
Lazarus has demonstrated proficiency in exploiting known vulnerabilities to gain initial access to target environments. The exploitation of Log4Shell on internet-accessible VMware Horizon servers has been observed, followed by reconnaissance and the deployment of the HazyLoad implant. The group also employs utilities like ProcDump and Mimikatz for credential dumping. Ultimately, the NineRAT backdoor is deployed to gain complete control over the compromised systems.
The use of Dlang-based malware by North Korean hackers, particularly Lazarus, poses a significant threat to organizations in various sectors, including manufacturing, agriculture, and physical security. The overlapping activities between Lazarus and Onyx Sleet highlight the coordinated efforts of these North Korean hacking groups. Continued monitoring and robust cybersecurity measures are crucial to combating these threats and protecting targeted organizations from the evolving tactics and techniques employed by state-sponsored cybercriminals.