North Korean Hackers Utilize Dlang-Based Malware in Targeted Attacks

North Korean hackers have recently been employing Dlang-based malware, a relatively uncommon programming language, for malicious purposes. Lazarus, a North Korea-linked hacking group, has been identified as the culprit behind these attacks. This article delves into the rise of Dlang in malware development and provides an analysis of Lazarus’ three Dlang malware families. It also explores the overlapping activity with another North Korean group, Onyx Sleet (also known as Plutionium and Andariel). Furthermore, the article examines the functionality of each malware family, the exploitation techniques employed by Lazarus, and the implications of these targeted attacks.

Dlang as an Uncommon Programming Language for Malware Development

The adoption of Dlang by malware developers has surged in recent years due to its versatility and easy learning curve. This shift in the choice of programming language needs to be understood in the context of the targeted attacks carried out by North Korean hackers.

The Three Malware Families Built with Dlang by Lazarus

Lazarus has utilized three distinct malware families, namely NineRAT, DLRAT, and BottomLoader, all developed using Dlang. Each family serves its purpose in different stages of the attack process, contributing to the success of Lazarus’ operations. These malware families have been in use by Lazarus since March 2023.

Overlapping Activity with Onyx Sleet (Plutonium and Andariel)

The observed attacks demonstrate an overlap with the activities of Onyx Sleet, another North Korean hacking group also known as Plutonium and Andariel. The connection between Lazarus and Onyx Sleet raises concerns about the coordinated efforts of these groups and their combined capabilities.

Analysis of NineRAT

Introduced around May 2022, NineRAT operates by receiving commands from its command-and-control (C&C) server via Telegram. The use of Telegram allows Lazarus to evade detection and maintain communication with the compromised systems.

Features of BottomLoader

Designed as a downloader, BottomLoader fetches and executes payloads from hardcoded URLs. Notably, it has been observed deploying the custom proxy tool, HazyLoad, in targeted attacks against a European manufacturer and a South Korean physical security and surveillance firm.

Functionality of DLRAT

DLRAT serves a dual purpose as both a downloader and a backdoor. This combination allows Lazarus to establish persistent access to compromised systems and subsequently download additional malware or execute various commands.

Exploitation Techniques Employed by Lazarus

Lazarus has demonstrated proficiency in exploiting known vulnerabilities to gain initial access to target environments. The exploitation of Log4Shell on internet-accessible VMware Horizon servers has been observed, followed by reconnaissance and the deployment of the HazyLoad implant. The group also employs utilities like ProcDump and Mimikatz for credential dumping. Ultimately, the NineRAT backdoor is deployed to gain complete control over the compromised systems.

The use of Dlang-based malware by North Korean hackers, particularly Lazarus, poses a significant threat to organizations in various sectors, including manufacturing, agriculture, and physical security. The overlapping activities between Lazarus and Onyx Sleet highlight the coordinated efforts of these North Korean hacking groups. Continued monitoring and robust cybersecurity measures are crucial to combating these threats and protecting targeted organizations from the evolving tactics and techniques employed by state-sponsored cybercriminals.

Explore more

How Can MRP and MPS Optimize Your Supply Chain in D365?

Introduction Imagine a manufacturing operation where every order is fulfilled on time, inventory levels are perfectly balanced, and production schedules run like clockwork, all without excessive costs or last-minute scrambles. This scenario might seem like a distant dream for many businesses grappling with supply chain complexities. Yet, with the right tools in Microsoft Dynamics 365 Business Central, such efficiency is

Streamlining ERP Reporting in Dynamics 365 BC with FYIsoft

In the fast-paced realm of enterprise resource planning (ERP), financial reporting within Microsoft Dynamics 365 Business Central (BC) has reached a pivotal moment where innovation is no longer optional but essential. Finance professionals are grappling with intricate data sets spanning multiple business functions, often bogged down by outdated tools and cumbersome processes that fail to keep up with modern demands.

Top Digital Marketing Trends Shaping the Future of Brands

In an era where digital interactions dominate consumer behavior, brands face an unprecedented challenge: capturing attention in a crowded online space where billions of interactions occur daily. Imagine a scenario where a single misstep in strategy could mean losing relevance overnight, as competitors leverage cutting-edge tools to engage audiences in ways previously unimaginable. This reality underscores a critical need for

Microshifting Redefines the Traditional 9-to-5 Workday

Imagine a workday where logging in at 6 a.m. to tackle critical tasks, stepping away for a midday errand, and finishing a project after dinner feels not just possible, but encouraged. This isn’t a far-fetched dream; it’s the reality for a growing number of employees embracing a trend known as microshifting. With 65% of office workers craving more schedule flexibility

Boost Employee Engagement with Attention-Grabbing Tactics

Introduction to Employee Engagement Challenges and Solutions Imagine a workplace where half the team is disengaged, merely going through the motions, while productivity stagnates and innovative ideas remain unspoken. This scenario is all too common, with studies showing that a significant percentage of employees worldwide lack a genuine connection to their roles, directly impacting retention, creativity, and overall performance. Employee