One of the DLang-based implants deployed in the post-exploitation stage is dubbed NineRAT and is a RAT that uses Telegram as a command-and-control (C2) channel. “With NineRAT activated, the malware becomes the primary method of interaction with the infected host,” the Talos researchers said. “However, previously deployed backdoor mechanisms, such as the reverse proxy tool HazyLoad, remain in place. The multiple tools give overlapping backdoor entries to the Lazarus Group with redundancies in the event a tool is discovered, enabling highly persistent access.”
By using the NineRAT samples as a reference, the Talos researchers managed to locate two additional implants that used similar code. One is a downloader also written in DLang that the researchers dubbed BottomLoader. Its purpose is to download an additional payload from a hardcoded URL by using a PowerShell command.
The second implant is more sophisticated and is both a payload downloader and remote access trojan that was dubbed DLRAT. Unlike NineRAT, DLRAT doesn’t use Telegram for C2 but sends information about the infected host over HTTP to a C2 web server. In return the attackers can instruct it to upload local files to the server, to rename files and to download additional payloads.
“The threat actors also created an additional user account on the system, granting it administrative privileges,” the researchers said. “Talos documented this TTP earlier this year, but the activity observed previously was meant to create unauthorized user accounts at the domain level. In this campaign, the operators created a local account, which matches the user account documented by Microsoft: krtbgt.”
Log4j is the gift that keeps on giving
Log4Shell was originally reported on December 9, 2021, and is in a highly popular Java library called Log4j. Because of the library’s widespread use, the vulnerability impacted millions of Java applications — both applications that companies developed in-house, as well as commercial products from many software developers.
Patches became available for Log4j days after the flaw was announced, but it took months for all impacted vendors to release patches and for organizations to update their internal apps. Despite the big publicity that the flaw received, two years later a large enough number of systems appear to remain vulnerable for groups like Lazarus to still use the exploit. According to software supply chain management company Sonatype that also operates the Central Repository for Java components, over 20% of Log4j downloads continue to be for vulnerable versions.