Research into Lazarus Group’s attacks using Log4Shell has revealed novel malware strains written in an atypical programming language.
DLang is among the newer breed of memory-safe languages being endorsed by Western security agencies over the past few years, the same type of language that cyber criminals are switching to.
At least three new DLang-based malware strains have been used in attacks on worldwide organizations spanning the manufacturing, agriculture, and physical security industries, Cisco Talos revealed today.
The attacks form part of what’s being called “Operation Blacksmith” and are attributed to a group tracked as Andariel, believed to be a sub-division of the Lazarus Group – North Korea’s state-sponsored offensive cyber unit.
Operation Blacksmith saw the regular targeting of organizations exposed to n-day vulnerabilities, such as the critical log4j vulnerability disclosed in December 2021 (CVE-2021-44228).
NineRAT was associated with attacker activity after exploiting public-facing VMware Horizon servers with Log4Shell – the industry-coined term for exploits of the log4j vulnerability – and uses Telegram bots and channels for its C2 infrastructure.
Through unpicking the remote access trojan (RAT), researchers at Cisco Talos discovered that it was first built around May 2022 but was only used in attacks starting in March 2023 through to October.
The October attacks on JetBrains’ TeamCity CI/CD tool were also attributed to Andariel. The group itself is typically tasked with gaining access to organizations and long-term access for cyber espionage campaigns, but has been known to carry out ransomware attacks.
The attacks it carried out using NineRAT shared similar tactics, techniques, and procedures (TTPs) to those seen in prior attacks, with a common finding being the use of the HazyLoad proxy tool previously only seen in the TeamCity attacks.
NineRat’s use of Telegram is understood to be for the purposes of evading detection from network and host-based measures. Running malicious traffic through a legitimate service is a common tactic used by cybercriminals who have used other social platforms such as Discord for the same purposes.
BottomLoader was the second strain identified by researchers and acts as a downloader for second-stage attacks, like the HazyLoad tool. It downloads payloads from a hardcoded URL via a PowerShell command, and can upload files also via a PowerShell command.
It can also establish persistence for follow-up payloads by creating a .URL file in the Startup directory, relying on PowerShell again to download any follow-up packages.
Finally, DLRAT acts as a downloader for additional malware payloads, gathers session information before returning it to the attackers, and also has RAT capabilities.
Moving to memory safety
The researchers noted that DLang is an uncommon choice for writing malware, but a shift towards newer languages and frameworks is one that’s been accelerating over the last few years – in malware coding as in the larger programming world.
Rust, however, has often shown itself to be the preferred choice out of what is a fairly broad selection of languages deemed to be memory-safe.
AlphV/BlackCat was the first ransomware group to make such a shift last year, re-writing its payload in Rust to offer its affiliates a more reliable tool. A month later, the now-shuttered Hive group did the same thing, and many others followed after that.
Other groups to snub Rust include China-based Sandman which was recently observed using Lua-based malware, believed to be part of a wider shift toward Lua development from Chinese attackers.
Rust is the “most loved” of all the development languages, according to Stack Overflow’s annual developer surveys, and that’s consistently been the case for the last seven years.
It’s frequently mentioned in the same breath as the likes of Go, Ruby, Swift, and others for their memory safety, but developers often report enjoying the experience of writing in Rust more than other languages.
It also performs better than some of its peers, like Go, which is sometimes criticized for its garbage collector slowing applications down. Rust binned its garbage collector years ago, and as a result runs comparatively faster than some other languages like it.
DLang also has a garbage collector, meaning that in some cases it may run slower than Rust, but a benefit of languages like DLang and Go is that they have faster compile times, so it can be a trade-off developers make based on their preferences. ®