The novel malware being deployed by Lazarus sub-group Andariel includes two remote access trojans (RATs) and a downloader. One of the RATs uses Telegram bots and channels for its command-and-control (C2) communications.
The campaign was discovered by Cisco Talos researchers who said in a Dec. 11 research post they observed the advanced persistent threat (APT) group targeting manufacturing, agricultural and physical security companies.
“This campaign consists of continued opportunistic targeting of enterprises globally that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation such as CVE-2021-44228 [the Log4j flaw],” the post said.
At least one of the attacks involved gaining initial access to an organization by successfully exploiting the Log4j vulnerability on publicly facing VMware Horizon servers.
The researchers said while the Log4j vulnerability had been “extensively exploited” by Lazarus in the past, a unique feature of the new campaign, which they dubbed “Operation Blacksmith,” was the use of the D programming language (Dlang) to craft the malware.
Dlang is not widely employed by threat groups and the researchers described its use as a “definitive shift in the tactics” used by Lazarus.
“Over the past year and a half, Talos has disclosed three different remote access trojans (RATs) built using uncommon technologies in their development, like QtFramework, PowerBasic and, now, Dlang,” the researchers said.
Lazarus using Telegram for C2 comms to avoid detection
The Telegram-based RAT, which Talos calls “NineRAT”, was initially built around May 2022 and was first used in the Operation Blacksmith campaign as early as March against a South American agricultural organization. The researchers then observed it being used again around September against a European manufacturing entity.
“NineRAT uses Telegram as its C2 channel for accepting commands, communicating their outputs and even for inbound and outbound file transfer,” they said.
“The use of Telegram by Lazarus is likely to evade network and host-based detection measures by employing a legitimate service as a channel of C2 communications.”
The researchers said there was overlap between Operation Blacksmith and the exploitation of a remote-code execution vulnerability affecting multiple versions of JetBrains’ TeamCity software development platform, reported by Microsoft in October.
Microsoft attributed the TeamCity attacks to Andariel, which it tracks as "Onyx Sleet," and another North Korean nation-state threat actor it tracks as "Diamond Sleet."
The Talos researchers said they shared the generally held industry view that the various Lazarus sub-groups, including Andariel, were tasked with supporting different North Korean objectives in defense, politics, national security, and research and development.
“Each sub-group operates its own campaigns and develops and deploys bespoke malware against their targets, not necessarily working in full coordination. Andariel is typically tasked with initial access, reconnaissance and establishing long-term access for espionage in support of North Korean government interests. In some cases, Andariel has also conducted ransomware attacks against healthcare organizations,” they said.