Ninerat

Malware updated 23 days ago (2024-11-29T14:03:52.924Z)
Download STIX
Preview STIX
NineRAT is a malicious software, or malware, that was first built in May 2022 and initially used in the Operation Blacksmith campaign against a South American agricultural organization in March. It is one of two Remote Access Trojans (RATs) utilized by Lazarus, a notorious Advanced Persistent Threat (APT) group, with the other being DLRAT. NineRAT, in particular, uses Telegram bots and channels for its command-and-control (C2) system, featuring DLang-based libraries that test authentication and enable document upload and download functionalities. Once activated, it becomes the primary interaction method with the infected host, even as older backdoor mechanisms like HazyLoad persist to provide Lazarus redundant access points. The researchers have found that the data collected by Lazarus via NineRAT may be shared with other APT groups. This information essentially resides in a different repository from the fingerprint data collected initially by Lazarus during their initial access and implant deployment phase. Once active, NineRAT receives preliminary commands from the C2 to again fingerprint the infected systems, indicating a re-fingerprinting process. The researchers have dubbed the Telegram-based RAT "NineRAT" and the non-Telegram variant "DLRAT," while a third component, a DLang-based downloader called "BottomLoader," is designed to retrieve additional payloads in subsequent stages of the operation. In the latest Andariel campaign, both NineRAT and DLRAT are being used as RATs. NineRAT uses Telegram as its command-and-control channel for commands, communication, and file transfers. Interestingly, Andariel exploits Log4Shell to attack publicly-accessible VMware Horizon servers to deliver NineRAT. This sophisticated malware strategy highlights the increasing complexity of cyber threats and underscores the need for robust cybersecurity measures.
Description last updated: 2024-08-14T09:37:00.651Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Dlrat is a possible alias for Ninerat. DLRAT is a potent malware, classified as a Remote Access Trojan (RAT), developed and deployed by the Lazarus group. It functions both as a trojan and a downloader, capable of introducing additional payloads into an infected system. The malware infiltrates systems through suspicious downloads, emails
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Rat
Implant
Apt
Malware
Operation Bl...
Telegram
Backdoor
Dropper
Downloader
Cisco
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Andariel Threat Actor is associated with Ninerat. Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In somUnspecified
2