Ninerat

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
NineRAT is a malware strain developed by the Lazarus group, and it was first used in Operation Blacksmith in March 2022 against a South American agricultural organization. The malware was initially built around May 2022 and was later observed being utilized in September against a European manufacturing entity. Two of the malware strains are remote access trojans (RATs), respectively tracked as NineRAT and "DLRAT". NineRAT uses Telegram bots and channels to communicate with its command-and-control (C2) system, which enables it to avoid detection. The interaction with Telegram involves DLang-based libraries that test authentication and enable document upload and download functionalities. Once activated, NineRAT becomes the primary interaction method with the infected host, while older backdoor mechanisms such as HazyLoad persist, providing Lazarus with redundant access points. The malware receives preliminary commands from the C2 to re-fingerprint the infected systems. It uses Telegram as its command-and-control channel for commands, communication, and file transfers. In addition to this, Andariel, another malware, exploits publicly accessible VMware Horizon servers to deliver NineRAT. Researchers have indicated that the data collected by Lazarus via NineRAT may be shared with other Advanced Persistent Threat (APT) groups. This data resides in a different repository from the fingerprint data collected initially by Lazarus during their initial access and implant deployment phase. The sharing of information suggests a level of collaboration among various malicious entities, potentially increasing the threat posed by these groups.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Dlrat
2
DLRAT is a potent malware, classified as a Remote Access Trojan (RAT), developed and deployed by the Lazarus group. It functions both as a trojan and a downloader, capable of introducing additional payloads into an infected system. The malware infiltrates systems through suspicious downloads, emails
Magicrat
1
MagicRAT is a type of malware, first observed by Cisco Talos in 2022, that was used by the Lazarus Group to exploit vulnerabilities in publicly exposed VMWare Horizon platforms, primarily targeting energy companies worldwide. This malicious software, which can infiltrate systems through suspicious d
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Telegram
Malware
Rat
Implant
Cisco
Backdoor
Dropper
Downloader
Operation Bl...
Proxy
Teamcity
Talos
Exploit
Log4j
Vulnerability
Exploits
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AndarielUnspecified
2
Andariel, a notorious threat actor associated with the Lazarus Group and linked to North Korea, is known for its malicious cyber activities. The group has been identified using DTrack malware and Maui ransomware, notably in mid-2022, and has developed a reputation for exploiting ActiveX objects. Res
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Log4ShellUnspecified
1
Log4Shell is a software vulnerability, specifically a flaw in the design or implementation of the popular Java logging library, Log4j. Identified as CVE-2021-44228, this vulnerability allows an attacker to remotely execute arbitrary code, often leading to full system compromise. Advanced Persistent
CVE-2021-44228Unspecified
1
CVE-2021-44228, also known as the Log4j vulnerability, is a software flaw found in Apache Log4j, a widely used logging utility. Despite multiple attempts by Advanced Persistent Threat (APT) actors to exploit this vulnerability in the ServiceDesk system, these efforts were unsuccessful. However, it b
HazyloadUnspecified
1
HazyLoad is a software vulnerability exploited by the threat actor Andariel to establish a direct connection with infected systems, bypassing the need for continued exploitation of the Log4j flaw. This custom-made implant acts as a proxy tool, allowing attackers to maintain persistence in the system
Source Document References
Information about the Ninerat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
7 months ago
Lazarus Exploits Log4Shell to Deploy Telegram-Based Malware
CERT-EU
7 months ago
Lazarus Group Exploits Log4j Flaw in New Malware Campaign
CERT-EU
7 months ago
Lazarus Group continues to exploit Log4j flaw in latest campaign
Securityaffairs
7 months ago
Operation Blacksmith: Lazarus exploits Log4j flaws to deploy DLang malware
DARKReading
7 months ago
Lazarus Group Is Still Juicing Log4Shell, Using RATs Written in 'D'
CERT-EU
7 months ago
Lazarus Group bang on trend with memory-safe Dlang malware
CERT-EU
7 months ago
Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans
CERT-EU
7 months ago
Breaking Cyber News From Cyberint - Cyberint
CERT-EU
7 months ago
Lazarus hackers drop new RAT malware using 2-year-old Log4j bug
InfoSecurity-magazine
7 months ago
Lazarus Group Targets Log4Shell Flaw Via Telegram Bots