Ninerat

NineRAT is a malicious software, or malware, that was first built in May 2022 and initially used in the Operation Blacksmith campaign against a South American agricultural organization in March. It is one of two Remote Access Trojans (RATs) utilized by Lazarus, a notorious Advanced Persistent Threat (APT) group, with the other being DLRAT. NineRAT, in particular, uses Telegram bots and channels for its command-and-control (C2) system, featuring DLang-based libraries that test authentication and enable document upload and download functionalities. Once activated, it becomes the primary interaction method with the infected host, even as older backdoor mechanisms like HazyLoad persist to provide Lazarus redundant access points. The researchers have found that the data collected by Lazarus via NineRAT may be shared with other APT groups. This information essentially resides in a different repository from the fingerprint data collected initially by Lazarus during their initial access and implant deployment phase. Once active, NineRAT receives preliminary commands from the C2 to again fingerprint the infected systems, indicating a re-fingerprinting process. The researchers have dubbed the Telegram-based RAT "NineRAT" and the non-Telegram variant "DLRAT," while a third component, a DLang-based downloader called "BottomLoader," is designed to retrieve additional payloads in subsequent stages of the operation. In the latest Andariel campaign, both NineRAT and DLRAT are being used as RATs. NineRAT uses Telegram as its command-and-control channel for commands, communication, and file transfers. Interestingly, Andariel exploits Log4Shell to attack publicly-accessible VMware Horizon servers to deliver NineRAT. This sophisticated malware strategy highlights the increasing complexity of cyber threats and underscores the need for robust cybersecurity measures.