The North Korea-linked threat group Lazarus has been attributed to a new global campaign that exploits the infamous Log4j flaw to deploy three previously undocumented DLang-based malware – NineRAT, DLRAT, and BottomLoader.

A glance at the infection process

• Once the initial reconnaissance has been completed, the attackers deploy the HazyLoad proxy tool to establish a foothold on the infected systems. 
• HazyLoad is downloaded and executed utilizing another malware called BottomLoader.
• In certain instances, researchers observed the threat actors using a new remote IP address instead of HazyLoad for communication. 
• Upon gaining access to systems, they create an additional user account to gain administrative privileges and deploy NineRAT in the final stage to collect system information and other sensitive details.
• The campaign has also been observed delivering DLRAT to deploy additional malware, retrieve commands from the C2, and execute them on the compromised systems.

More about NineRAT

• Initially built around May 2022, NineRAT was first used in this campaign in March to target a South American agricultural organization. 
• Later in September, the malware was used against a manufacturing entity in Europe.
• NineRAT uses Telegram as its C2 channel to receive commands to gather system information, communicate its output, and even uninstall and upgrade itself.

Conclusion