Emulating the Politically Motivated North Korean Adversary Andariel – Part 2
Contents
On December 11, 2023, Cisco Talos reported the discovery of an activity led by Andariel, a North Korean state-sponsored known to be a subgroup of the notorious Lazarus group, which employed three new DLang-based malware families. This activity consists of continued opportunistic targeting of enterprises that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation. During the same, Andariel was observed targeting manufacturing, agricultural, and physical security companies.
Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a previously unknown DLang-based Remote Access Trojan (RAT) named NineRAT, which employs Telegram as its C2 channel. NineRAT was initially built around May 2022 and was first used as early as March 2023, almost a year later, against a South American agricultural organization. A common tool in this activity was “HazyLoad”, a custom-made proxy tool previously observed targeting a European firm and an American subsidiary of …
Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a previously unknown DLang-based Remote Access Trojan (RAT) named NineRAT, which employs Telegram as its C2 channel. NineRAT was initially built around May 2022 and was first used as early as March 2023, almost a year later, against a South American agricultural organization. A common tool in this activity was “HazyLoad”, a custom-made proxy tool previously observed targeting a European firm and an American subsidiary of …