NineRAT Malware Targets Systems Uses Tactics of Lazarus Hacker Group

Cisco Talos recently uncovered a new cyber campaign orchestrated by the Lazarus Group, named "Operation Blacksmith." This operation employs three novel DLang-based malware families, with two identified as remote access trojans (RATs). Notably, one of these RATs utilizes Telegram bots and channels as a means of command and control (C2) communications, earning the moniker "NineRAT," while the non-Telegram-based RAT is labeled "DLRAT." Additionally, a DLang-based downloader known as "BottomLoader" was identified in the operation.

This discovery marks a significant shift in the tactics employed by the Lazarus Group, a North Korean APT (Advanced Persistent Threat) group. Over the past 18 months, Cisco Talos has disclosed three distinct RATs developed using unconventional technologies such as QtFramework, PowerBasic, and the most recent addition, DLang.

Notably, parallels were observed between Lazarus' Operation Blacksmith and the tactics, techniques, and procedures (TTPs) associated with the North Korean state-sponsored group Onyx Sleet, also recognized as the Andariel APT group. Andariel is widely considered a sub-group under the Lazarus umbrella, with this campaign demonstrating opportunistic targeting of global enterprises that expose vulnerable infrastructure to n-day vulnerability exploitation, including the well-known CVE-2021-44228 (Log4j). Lazarus specifically targeted industries such as manufacturing, agriculture, and physical security.

Operation Blacksmith involved the exploitation of Log4j and introduced a previously unknown DLang-based RAT, NineRAT, which utilized Telegram for C2 communication. NineRAT was initially constructed around May 2022 and was first employed in the campaign approximately a year later, targeting a South American agricultural organization in March 2023 and a European manufacturing entity in September 2023.

Analyses by Cisco Talos revealed overlap with malicious attacks disclosed by Microsoft in October 2023, attributed to Onyx Sleet. This aligns with the broader understanding that the Lazarus APT operates as an umbrella organization encompassing various sub-groups, each pursuing different objectives related to North Korea's defense, politics, national security, and research and development.

Computer users affected by the NineRAT Malware should take action in use of an anti-malware tool to not only prevent future attacks but to fully eliminate the threat.

By Zane
December 13, 2023
Malware
English
December 13, 2023
Malware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Malware

YamaBot Malware Employed by Lazarus Group

YamaBot is the name of a piece of malware, employed by the threat actor that goes by the name of Lazarus group. YamaBot is also known by the name Kaos and is written and compiled in the Go programming language - an... Read more

August 5, 2022
Computer Security

SIGNBT Malware Linked to North Korean Lazarus Group

The Lazarus Group, associated with North Korea, has been linked to a recent campaign where an undisclosed software vendor fell victim to a cyberattack through the exploitation of known security vulnerabilities in... Read more

October 30, 2023
Computer Security

Kandykorn Malware Linked to North Korean Hacker Group

Blockchain engineers from an undisclosed cryptocurrency exchange platform are being targeted by state-sponsored threat actors associated with the Democratic People's Republic of Korea through Discord. They are using a... Read more

November 2, 2023
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.