Cisco researchers recently observed the North Korea-linked Lazarus hacking group deploy three Dlang malware families against various targets in the manufacturing, agriculture, and physical security sectors. Dlang is popular among some malware developers due to its easy learning curve and cross-application versatility but is an uncommon programming language overall.
- NineRAT is one of two remote access trojans (RATs) that Lazarus developed using Dlang in May 2022. Lazarus exploited the Log4Shell vulnerability to deploy NineRAT against a South American agricultural organization and a European manufacturing company in March 2023. NineRAT uses Telegram to receive commands from a C2 server and is capable of harvesting system information, uploading files, and uninstalling itself.
- DLRAT, the second RAT that Lazarus developed using Dlang, operates as a downloader and backdoor. DLRAT can also upload files and delete itself from machines, similar to NineRAT. The final Dlang-based Lazarus tool, BottomLoader, can fetch and execute payloads from a hardcoded URL. Lazarus has used BottomLoader to deploy its custom HazyLoad tool against a European manufacturer and South Korean security firm.
Read More:
https://www.securityweek.com/north-korean-hackers-developing-malware-in-dlang-programming-language/