Research into Lazarus Group's attacks using Log4Shell has revealed novel malware strains written in an atypical programming language.
DLang is among the newer breed of memory-safe languages being endorsed by Western security agencies over the past few years, the same type of language that cyber criminals are switching to.
At least three new DLang-based malware strains have been used in attacks on worldwide organizations spanning the manufacturing, agriculture, and physical security industries, Cisco Talos revealed today.
NineRAT was associated with attacker activity after exploiting public-facing VMware Horizon servers with Log4Shell - the industry-coined term for exploits of the log4j vulnerability - and uses Telegram bots and channels for its C2 infrastructure.
Through unpicking the remote access trojan, researchers at Cisco Talos discovered that it was first built around May 2022 but was only used in attacks starting in March 2023 through to October.
The October attacks on JetBrains' TeamCity CI/CD tool were also attributed to Andariel.
The group itself is typically tasked with gaining access to organizations and long-term access for cyber espionage campaigns, but has been known to carry out ransomware attacks.
The attacks it carried out using NineRAT shared similar tactics, techniques, and procedures to those seen in prior attacks, with a common finding being the use of the HazyLoad proxy tool previously only seen in the TeamCity attacks.
Running malicious traffic through a legitimate service is a common tactic used by cybercriminals who have used other social platforms such as Discord for the same purposes.
BottomLoader was the second strain identified by researchers and acts as a downloader for second-stage attacks, like the HazyLoad tool.
Finally, DLRAT acts as a downloader for additional malware payloads, gathers session information before returning it to the attackers, and also has RAT capabilities.
The researchers noted that DLang is an uncommon choice for writing malware, but a shift towards newer languages and frameworks is one that's been accelerating over the last few years - in malware coding as in the larger programming world.
Rust has often shown itself to be the preferred choice out of what is a fairly broad selection of languages deemed to be memory-safe.
AlphV/BlackCat was the first ransomware group to make such a shift last year, re-writing its payload in Rust to offer its affiliates a more reliable tool.
A month later, the now-shuttered Hive group did the same thing, and many others followed after that.
Other groups to snub Rust include China-based Sandman which was recently observed using Lua-based malware, believed to be part of a wider shift toward Lua development from Chinese attackers.
After six days and thousands of pwned users, Cisco poised to patch IOS XE flaw Windows breaks under upgraded IceXLoader malware Dump C++ and in Rust you should trust, Five Eyes agencies urge Small but mighty, 9Front's 'Humanbiologics' is here for the truly curious.
It's frequently mentioned in the same breath as the likes of Go, Ruby, Swift, and others for their memory safety, but developers often report enjoying the experience of writing in Rust more than other languages.
Rust binned its garbage collector years ago, and as a result runs comparatively faster than some other languages like it.
DLang also has a garbage collector, meaning that in some cases it may run slower than Rust, but a benefit of languages like DLang and Go is that they have faster compile times, so it can be a trade-off developers make based on their preferences.
This Cyber News was published on go.theregister.com. Publication date: Mon, 11 Dec 2023 18:43:05 +0000