Lazarus Cyber Group Deploys DLang Malware Strains (theregister.com) 13
Connor Jones reports via The Register: DLang is among the newer breed of memory-safe languages being endorsed by Western security agencies over the past few years, the same type of language that cyber criminals are switching to. At least three new DLang-based malware strains have been used in attacks on worldwide organizations spanning the manufacturing, agriculture, and physical security industries, Cisco Talos revealed today. The attacks form part of what's being called "Operation Blacksmith" and are attributed to a group tracked as Andariel, believed to be a sub-division of the Lazarus Group -- North Korea's state-sponsored offensive cyber unit. [...]
The researchers noted that DLang is an uncommon choice for writing malware, but a shift towards newer languages and frameworks is one that's been accelerating over the last few years -- in malware coding as in the larger programming world. Rust, however, has often shown itself to be the preferred choice out of what is a fairly broad selection of languages deemed to be memory-safe. AlphV/BlackCat was the first ransomware group to make such a shift last year, re-writing its payload in Rust to offer its affiliates a more reliable tool. A month later, the now-shuttered Hive group did the same thing, and many others followed after that. Other groups to snub Rust include China-based Sandman which was recently observed using Lua-based malware, believed to be part of a wider shift toward Lua development from Chinese attackers.
The researchers noted that DLang is an uncommon choice for writing malware, but a shift towards newer languages and frameworks is one that's been accelerating over the last few years -- in malware coding as in the larger programming world. Rust, however, has often shown itself to be the preferred choice out of what is a fairly broad selection of languages deemed to be memory-safe. AlphV/BlackCat was the first ransomware group to make such a shift last year, re-writing its payload in Rust to offer its affiliates a more reliable tool. A month later, the now-shuttered Hive group did the same thing, and many others followed after that. Other groups to snub Rust include China-based Sandman which was recently observed using Lua-based malware, believed to be part of a wider shift toward Lua development from Chinese attackers.
Language becomes evidence. (Score:2)
Dlang for this state-sponsored group. Lua for that state-sponsored group. Odd shift in tactics for those that often rely on hiding to succeed.
Malware tends to always run the risk of attacking and breaking the "wrong" entity that you really didn't mean to fuck with, and then hacker bragging becomes a rather large liability. Language preference may tend to "out" the guilty as easily as speaking in native tongue.
Re: (Score:2)
It makes false attribution easier and true attribution denial easier too.
Re: (Score:2)
It makes false attribution easier...
A tactic that was easier when a lot of them code-spoke in the same language.
...and true attribution denial easier too.
If any state-sponsored hacking group becomes the only one coding effectively in one particular language, I don't see how. Being fluent becomes your native tongue rather easily, which denial becomes quite difficult in the voice-powered realm. (Like they're not from Boston when I asked them to park the car.)
People ave no imagition ? (Score:3)
DLang is among the newer breed of memory-safe languages
New one of me, I know of a language called D created by Walter Bright decades ago. And I it is a rather good language.
Never heard of D Lang. People cannot come up with new names, instead the need to call it the same name as products that are probably much better ?
Re: (Score:2)
Indeed the language used by these malware authors is D, and yes it is an old language. I guess the reporter just found the website (dlang.org) and assumed that was the actual name of the language, and they didn't even read the web site to find out that D has been around for decades. And of course Google is partly to blame because it's impossible to find one-letter or even two-letter languages without adding "lang" to the query. Google must special case "C" and their own languages like "Go."
Re: (Score:2)
It's the language you're thinking of. It has become fashionable to put Lang on the end, probably because simply searching for "D" or "Go" doesn't really yield very good results. You can blame search engines for the stupid convention. Even website host names reflect this trendy "lang" suffix, D [dlang.org], Nim [nim-lang.org], Zig [ziglang.org], etc...
So... (Score:4, Insightful)
Does this mean malware writers care more about code quality than Microsoft (which mostly writes in C++)?
Re:So... (Score:4, Funny)
To be fair that is a low bar to meet.
Re: (Score:2)
Does this mean malware writers care more about code quality than Microsoft
Not a valid conclusion, as Microsoft is one of the biggest in the malware writing business.
Re: (Score:2)
Ooooh, nasty. I'm stealing that.