North Korean Hackers Developing Malware in Dlang Programming Language

The North Korea-linked hacking group Lazarus has been observed deploying Dlang malware in attacks against organizations in the manufacturing, agriculture, and physical security sectors, Cisco’s Talos security researchers report.

Released in 2001, Dlang, or simply D, is a multi-paradigm system programming language built upon the idea of C++, but drawing inspiration from C#, Eiffel, Java, Python, Ruby, and other high-level languages as well. 

Dlang is considered an uncommon programming language for malware development, but has started attracting malware developers, likely due to its versatility and easy learning curve. Dlang allows developers to cross-compile applications for multiple architectures.

Since March 2023, Lazarus, an advanced persistent threat (APT) actor sponsored by the North Korean government, has been observed using three malware families built using Dlang, namely the NineRAT and DLRAT remote access trojans (RATs), and the BottomLoader downloader.

The malware families, Cisco reports, were used as part of Operation Blacksmith, in which Lazarus targeted systems unpatched against the infamous Log4Shell vulnerability (CVE-2021-44228), to deploy NineRAT against a South American agricultural organization and a European manufacturing business.

The observed attacks overlap with activity that can be attributed to Onyx Sleet, a North Korean group also known as Plutionium and Andariel. However, common consensus across the cybersecurity industry is that North Korean state-sponsored hackers operate under the Lazarus umbrella.

Likely built around May 2022, NineRAT uses Telegram for receiving commands from its command-and-control (C&C) server, likely to evade detection. After deployment, the RAT achieves persistence and becomes the main method of interaction with the infected host.

The malware can harvest system information, upgrade to a new version, stop its execution, uninstall itself, and upload files from the infected machine.

The BottomLoader downloader can fetch and execute a payload from a hardcoded URL, and has been observed deploying the custom proxy tool HazyLoad against the European manufacturer and against a South Korean physical security and surveillance firm.

BottomLoader was also designed to achieve persistence for newer versions or for its dropped payloads, through the creation of a URL file in the system’s Startup directory.

Lazarus’ third Dlang malware family is DLRAT, which functions both as a downloader and as a backdoor. It includes hardcoded commands for system reconnaissance, but can also execute commands to download and upload files, rename files, and delete itself from the machine.

As part of Operation Blacksmith, Lazarus was seen exploiting Log4Shell on internet-accessible VMware Horizon servers for initial access, followed by reconnaissance and the deployment of the HazyLoad implant. In some cases, a new user account was created for persistent access to the system.

Lazarus also employed utilities such as ProcDump and MimiKatz for credential dumping, and then deployed the NineRAT backdoor to the system.

Leave a Reply

Your email address will not be published. Required fields are marked *