Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang
Contents
- Cisco Talos recently discovered a new campaign conducted by the Lazarus Group we’re calling “Operation Blacksmith,” employing at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram bots and channels as a medium of command and control (C2) communications. We track this Telegram-based RAT as “NineRAT” and the non-Telegram-based RAT as “DLRAT.” We track the DLang-based downloader as “BottomLoader.”
- Our latest findings indicate a definitive shift in the tactics of the North Korean APT group Lazarus Group. Over the past year and a half, Talos has disclosed three different remote access trojans (RATs) built using uncommon technologies in their development, like QtFramework, PowerBasic and, now, DLang.
- Talos has observed an overlap between our findings in this campaign conducted by Lazarus including tactics, techniques and procedures (TTPs) consistent with the North Korean state-sponsored group Onyx Sleet (PLUTIONIUM), also known …
- Our latest findings indicate a definitive shift in the tactics of the North Korean APT group Lazarus Group. Over the past year and a half, Talos has disclosed three different remote access trojans (RATs) built using uncommon technologies in their development, like QtFramework, PowerBasic and, now, DLang.
- Talos has observed an overlap between our findings in this campaign conducted by Lazarus including tactics, techniques and procedures (TTPs) consistent with the North Korean state-sponsored group Onyx Sleet (PLUTIONIUM), also known …
IoC
000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee
0e416e3cc1673d8fc3e7b2469e491c005152b9328515ea9bbd7cf96f1d23a99f
155.94.208.209
162.19.71.175
185.29.8.53
201.77.179.66
27.102.113.93
47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30
534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433
5b02fc3cfb5d74c09cab724b5b54c53a7c07e5766bffe5b1adf782c9e86a8541
82d4a0fef550af4f01a07041c16d851f262d859a3352475c62630e2c16a21def
9a48357c06758217b3a99cdf4ab83263c04bdea98c347dd14b254cab6c81b13a
ba8cd92cc059232203bcadee260ddbae273fc4c89b18424974955607476982c4
e615ea30dd37644526060689544c1a1d263b6bb77fe3084aa7883669c1fde12f
f91188d23b14526676706a5c9ead05c1a91ea0b9d6ac902623bc565e1c200a59
http://155.94.208.209
http://162.19.71.175
http://185.29.8.53
http://201.77.179.66
http://27.102.113.93
http://27.102.113.93/inet.txt
http://162.19.71.175:7443/sonic/bottom.gif
http://201.77.179.66:8082/img/images/header/7AEBC320998FD5E5.gif
http://201.77.179.66:8082/img/images/header/B691646991EBAEEC.gif
http://201.77.179.66:8082/img/lndex.php
http://tech.micrsofts.com
http://tech.micrsofts.tech
0e416e3cc1673d8fc3e7b2469e491c005152b9328515ea9bbd7cf96f1d23a99f
155.94.208.209
162.19.71.175
185.29.8.53
201.77.179.66
27.102.113.93
47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30
534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433
5b02fc3cfb5d74c09cab724b5b54c53a7c07e5766bffe5b1adf782c9e86a8541
82d4a0fef550af4f01a07041c16d851f262d859a3352475c62630e2c16a21def
9a48357c06758217b3a99cdf4ab83263c04bdea98c347dd14b254cab6c81b13a
ba8cd92cc059232203bcadee260ddbae273fc4c89b18424974955607476982c4
e615ea30dd37644526060689544c1a1d263b6bb77fe3084aa7883669c1fde12f
f91188d23b14526676706a5c9ead05c1a91ea0b9d6ac902623bc565e1c200a59
http://155.94.208.209
http://162.19.71.175
http://185.29.8.53
http://201.77.179.66
http://27.102.113.93
http://27.102.113.93/inet.txt
http://162.19.71.175:7443/sonic/bottom.gif
http://201.77.179.66:8082/img/images/header/7AEBC320998FD5E5.gif
http://201.77.179.66:8082/img/images/header/B691646991EBAEEC.gif
http://201.77.179.66:8082/img/lndex.php
http://tech.micrsofts.com
http://tech.micrsofts.tech