The Lazarus Group is a notorious North Korean state-sponsored hacking organization known for:-.
They have been implicated in high-profile incidents, including the 2014 Sony Pictures hack and the 2017 WannaCry ransomware outbreak.
Blacksmith operation exploits Log4Shell and deploys a new DLang RAT via Telegram for C2 communication.
NineRAT operates through Telegram for C2, including commands and file transfers.
It comprises a dropper with two embedded components:-.
NineRAT, the main interaction method on infected hosts, coexists with previous tools like HazyLoad for sameness.
Lazarus ensures persistent access with overlapping backdoor entries.
Despite the switch, older NineRAT samples still use open channels, reads the report.
Anadriel, active since 2022, employs two API tokens, one publicly listed, interacting with Telegram via DLang-based libraries.
The NineRAT tests authentication and handles file upload/download through Telegram methods.
Not only that but even from the system using a BAT file, the NineRAT can also uninstall itself.
NineRAT led to the discovery of two more Lazarus DLang-based malware families.
BottomLoader, a downloader, downloads payloads via a PowerShell command and creates persistence.
DLRAT, a downloader, and RAT that executes commands, performs system reconnaissance, and communicates with C2 using a hardcoded session ID. The attack exploits CVE-2021-44228 on public-facing VMWare Horizon servers for initial access, deploying a custom implant after reconnaissance.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 13 Dec 2023 07:55:23 +0000