Cisco reveals Operation Blacksmith as Lazarus targets organizations with new Telegram-based malware in DLang
Cisco Talos discovered a new campaign conducted by the Lazarus Group that it has codenamed ‘Operation Blacksmith,’ employing at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram bots and channels as a medium of command and control (C2) communications. Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a previously unknown DLang-based RAT utilizing Telegram as its C2 channel, leading to the compromise of organizations in the manufacturing, agriculture, and physical security sectors.
“Our latest findings indicate a definitive shift in the tactics of the North Korean APT group Lazarus Group,” Jungsoo An, Asheer Malhotra, Vitor Ventura, Cisco Talos researchers wrote in a company blog post. “Over the past year and a half, Talos has disclosed three different remote access trojans (RATs) built using uncommon technologies in their development, like QtFramework, PowerBasic and, now, DLang.”
Additionally, Talos has observed an overlap between its findings in the current campaign conducted by Lazarus including tactics, techniques and procedures (TTPs) consistent with the North Korean state-sponsored group Onyx Sleet (PLUTIONIUM), also known as the Andariel APT group. Andariel is widely considered to be an APT sub-group under the Lazarus umbrella.
The Talos researchers said that they are naming the malware family ‘NineRAT,’ initially built around May 2022 and first used in this campaign as early as March 2023, almost a year later, against a South American agricultural organization. “We then saw NineRAT being used again around September 2023 against a European manufacturing entity. During our analysis, Talos found some overlap with the malicious attacks disclosed by Microsoft in October 2023 attributing the activity to Onyx Sleet, also known as PLUTIONIUM or Andariel.”
Talos agrees with other researchers’ assessment that the Lazarus APT is essentially an umbrella of sub-groups that support different objectives of North Korea in defense, politics, national security, and research and development. Each sub-group operates its campaigns and develops and deploys bespoke malware against its targets, not necessarily working in full coordination. Andariel is typically tasked with initial access, reconnaissance, and establishing long-term access for espionage in support of North Korean government interests. In some cases, Andariel has also conducted ransomware attacks against healthcare organizations.
The current campaign, Operation Blacksmith, consists of similarities and overlaps in tooling and tactics observed in previous attacks conducted by the Andariel group within Lazarus. The researchers pointed out that a common artifact in this campaign was ‘HazyLoad,’ a custom-made proxy tool previously only seen in the Microsoft report.
“Talos found HazyLoad targeting a European firm and an American subsidiary of a South Korean physical security and surveillance company as early as May 2023,” the post revealed. “In addition to Hazyload, we discovered ‘NineRAT’ and two more distinct malware families — both DLang-based — being used by Lazarus. This includes a RAT family we’re calling ‘DLRAT’ and a downloader we call ‘BottomLoader’ meant to download additional payloads such as HazyLoad on an infected endpoint.”
Last September, Cisco Talos researchers disclosed that they had been tracking a new campaign operated by the Lazarus advanced persistent threat (APT) group, attributed to North Korea by the U.S. government. Between February and July this year, the group is said to have exploited Log4j vulnerabilities in VMware Horizon servers to gain an initial foothold into targeted organizations, including energy providers from around the world, including those headquartered in the U.S., Canada, and Japan.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
