The Lazarus Group, associated with North Korea, has been identified deploying unique malware strains written in the DLang programming language, marking an unusual choice for crafting malicious code. The discovery is part of “Operation Blacksmith,” where three distinct DLang-based malware strains were employed in cyber attacks across various industries, including manufacturing, agriculture, and physical security. Cisco Talos researchers revealed the operation’s attribution to Andariel, believed to be a sub-division of the Lazarus Group, North Korea’s state-sponsored cyber unit.
Operation Blacksmith primarily targeted organizations vulnerable to n-day vulnerabilities, such as the critical log4j vulnerability disclosed in December 2021. Notably, the Lazarus Group exploited public-facing VMware Horizon servers using the Log4Shell vulnerability, utilizing a remote access trojan (RAT) named NineRAT. This RAT, first built in May 2022 and employed from March to October 2023, demonstrated a sophisticated approach, leveraging Telegram for its command-and-control infrastructure to evade detection.
In addition to NineRAT, two other DLang-based malware strains were identified: BottomLoader and DLRAT. BottomLoader functions as a downloader for second-stage attacks, while DLRAT acts as a downloader for additional malware payloads, gathering session information and exhibiting RAT capabilities. The researchers highlighted the unusual choice of DLang for writing malware, noting a broader trend in the cybercrime landscape towards adopting newer languages and frameworks.
The preference for memory-safe languages like Rust has been observed in various ransomware groups, emphasizing reliability and performance. While Rust remains a popular choice, the Lazarus Group’s use of DLang indicates a diversification in programming language preferences among cybercriminals. The acceleration in adopting languages like Rust and DLang aligns with a broader trend in the programming world, emphasizing the importance of memory safety in crafting resilient and efficient malware.
