The notorious North Korea-backed Lazarus Group continues to change up its tactics to evade detection, with a new campaign featuring the exploitation of the Log4j critical vulnerability and three new malware families written in the D – or DLang – programming language.

The campaign is being run by the advanced persistent threat (APT) group Andariel – also known as Onyx Sheet and Plutonium – one of several subgroups in the Lazarus collective, according to researchers with Cisco System’s Talos threat intelligence unit.

“Our latest findings indicate a definitive shift in the tactics of” the Lazarus Group, researchers Jungsoo An, Asheer Malhotra, and Vitor Ventura wrote in a report. “Over the past year and a half, Talos has discovered three different remote access trojans (RATs) built using uncommon technologies in their development, like QtFramework, PowerBasic and, now, DLang.”

Many of the tactics and techniques used in the campaign – dubbed Operation Blacksmith – overlap with those of Andariel, which they wrote is know for initial access, reconnaissance, and long-term access for espionage campaigns run in support of the North Korean government, which uses cyber-operations to steal information and money to support its ballistic and nuclear weapons programs.

Andariel also is known for running its own ransomware attacks against healthcare facilities.

“Talos agrees with other researchers’ assessment that the Lazarus APT is essentially an umbrella of sub-groups that support different of North Korea in defense, politics, national security and research and development,” An, Malhotra, and Ventura wrote. “Each sub-group operates its own campaigns and develops and deploys bespoke malware against their targets, not necessarily working in full coordination.”

Andariel a Long-Time Threat

Andariel has been around since at least 2009 and in 2019 was sanctioned – along with Lazarus and Bluenoroff, another Lazarus subgroup – by the U.S. Treasury Department for their activities supporting North Korea’s weapons programs. Last year, the Justice Department offered a $10 million reward for information on North Korea threat groups, including Lazarus, Bluenoroff, Kimusky, and Andariel.

According to U.S. federal law enforcement, Andariel is linked to the same North Korean intelligence service that also is connected to Lazarus.

More recently, the group earlier this year was detected by Kaspersky researchers using another new malware family called EarlyRat, which was being used with the DTrack malware and Maui ransomware, and exploiting the Log4j flaw for initial access.

The Log4j remote code execution (RCE) flaw – also known as Log4Shell and Log4Jam – was discovered two years ago this month. The zero-day vulnerability – tracked as CVE-2021-44228 – sent shockwaves through the industry because of the ubiquitous use of the Apache Java logging tool in hundreds of millions of systems.

Cybersecurity firm Veracode in a report this month found that more than 38% of 38,278 applications scanned this year are running vulnerable versions of Log4j.

“There is still room for improvement when it comes to open-source software security,” Vercode Chief Research Officer Chris Eng wrote. “If Log4Shell was another example in a long series of wake-up calls to adopt more stringent open-source security practices, the fact that more than 1 in 3 applications currently run vulnerable versions of Log4j shows there is more work to do.”

Andariel also is suspected of stealing South Korean defense information earlier this month, including data about an anti-aircraft laser.

Two RATs, One Downloader

In the latest Andariel campaign, two of the DLang malware families being used are RATS, one of which Talos is calling NineRAT and is using Telegram bots and channels to communicate with command-and-control (C2) system. The non-Telegram RAT was dubbed DLRAT and the third malware is a downloader called BottomLoader, which is used to download other payloads like the HazyLoad proxy tool on infected systems.

NineRAT was built in May 2022 and first used in the Operation Blacksmith campaign in March against a South American agricultural organization. In September, Talos found it being used to attack a European manufacturing organization.

Andariel uses Log4Shell to exploit publicly-accessible VMware Horizon servers to deliver NineRAT.

The malware uses Telegram as the conduit to its C2 channel “for accepting commands, communicating their outputs and even for inbound and outbound file transfer,” Talos reported. “The use of Telegram by Lazarus is likely to evade network and host-based detection measures by employing a legitimate service as a channel of C2 communications.”

Data Collection

Andariel collects data about the system after initially infecting it. Once active, NineRAT gets preliminary commands from the C2 to again fingerprint the infected systems.

“Re-fingerprinting the infected systems indicates the data collected by Lazarus via NineRAT may be shared by other APT groups,” the researchers wrote.

HazyLoad, detailed by Microsoft in October, was used to target a European firm and a U.S. subsidiary of a South Korean physical security and surveillance company in May. In this case, Andariel uses HazyLoad to establish a direct connection to the infected system, rather than having to continue exploiting Log4j flaw.

The attackers also created another user on the system, giving them administrative privileges. Once created, they switched over to it for hands-on-keyboard activity, which begins with downloading credential dumping tools like ProcDump and MimiKatz.

DLRAT is used to gather information about an infected system, including OS versions running on it, the user running the malware, and the MAC address, which identifies the system on the network. The data is posted after DLRAT communicates with the C2.