Loader
NedDnLoader
NedDnLoader is an HTTP(S) downloader that uses AES for C&C trafic encryption.
NedDnLoader is a Windows loader operated by Lazarus Group.
Background
NedDnLoader is an HTTP(S) downloader that encrypts its C&C traffic with AES.
It transmits a thorough profile of the victim's environment, including the computer name, user name, drive types and free space across all drives, and the list of active processes. Its HTTP POST requests use three characteristic parameter names: ned, gl, hl. The payload it typically retrieves is Torisma.
Internally the DLL is usually named Dn.dll, Dn64.dll or DnDll.dll. It ships either as a standalone payload or bundled into a trojanized MFC application project, and contains distinctive RTTI symbols such as ".?AVCWininet_Protocol@@" or ".?AVCMFC_DLLApp@@".
Source: Malpedia (Fraunhofer FKIE).