Search This Blog

Powered by Blogger.

Blog Archive

Labels

EarlyRat Malware From Andariel Strikes North Korea

Andariel, a cyber espionage group linked to North Korea, employed malware called EarlyRat that had never been documented before this attack.

 


Andariel, a North Korea-aligned threat actor, recently used malware known as EarlyRat in phishing attacks. This adds to the wide range of tools the group uses to perpetrate attacks against its targets. 

An analyst has uncovered a previously unknown remote access trojan that has been dubbed 'EarlyRAT'. This trojan appears to have been used by Andariel, a sub-group of the Lazarus North Korean hacking group linked to North Korea's state-sponsored cybercrime organization. 

Among the main hacker groups associated with the Lazarus organization, Stonefly (aka Andariel) is regarded as one of the most prominent hacker groups. By using the DTrack modular backdoor, the group has gathered a wealth of information from compromised systems, including browsing history, typing data (keylogging), screenshots, running processes, and much more. 

To attack machines, Andariel exploits a vulnerability in the Log4j application, which allows them to download further malware from the C2 server that hosts their attack. In addition to the DTrack backdoor, there are some other malware files on this list that were downloaded.  

Throughout the network reconnaissance, credential stealing, and lateral movement, Andariel used open-source security products such as 3Proxy, Putty, Dumpert, and Powerline. Furthermore, in these attacks, researchers discovered a phishing document triggered by the EarlyRAT payload retrieved from a server associated with the previous Maui ransomware campaign. In addition, a phishing document with macros was discovered. 

The North Korean government gathered valuable intellectual property over two months with the aid of an improved variant of DTrack, possibly Andariel. This was reported by WithSecure in a recent report. 

As a source of income for the sanctions-hit nation, cybercrime has become increasingly significant for them, as they commit cybercrime regularly in addition to conducting espionage attacks against foreign governments and military units of strategic interest. 

Cyber weapons such as Maui, a ransomware strain named after the Maui ransomware strain, and remote access trojans and backdoors such as Dtrack (aka Valefor and Preft), NukeSped (aka Manuscript), MagicRAT, and YamaBot are a few of its key items. 

This program includes several features, which allow it to create, terminate, move, read, and write files on an infected host. In addition, it can move and read processes. NukeSped appears to be used in conjunction with a campaign tracked by the U.S. Government's Cybersecurity and Infrastructure Security Agency (CISA) under the code name of TraderTraitor. 

Previously in the year 2022, AhnLab's Security Emergency Response Center (ASEC) and Cisco Talos did a joint paper that documented Andariel's weaponization of the Log4Shell vulnerability on unpatched virtual machines running VMware Horizon. 

A phishing document was also discovered in these campaigns, containing macros designed to retrieve an EarlyRAT payload from a server that was connected to previous Maui ransomware campaigns that used the same email address and subject line. 

There is a program called EarlyRAT that runs automatically on a command line every time. It gathers system data on the fly and sends it to the C2 server via a POST request. 

As you might expect from the name, EarlyRAT is a basic tool that collects system information and sends it via a POST request to the C2 server when it is launched. Besides downloading further payloads, EarlyRAT is also capable of exfiltrating valuable data and disrupting system functionality on compromised machines. This is due to its power to execute commands on compromised devices. There is a strong similarity between EarlyRAT and MagicRAT, another tool used as a part of the Lazarus attack, which creates a schedule of actions and downloads more malware from the C2 domain.  

Besides downloading payloads and exfiltrating vital information from computers, EarlyRAT's secondary purpose is to execute commands at the infected machine, which can enable it to download more payloads, exfiltrate vital information, or interfere with normal operations of the affected machine. 

It has been reported by security researchers that the tool in use by Lazarus is similar to another one used by MagicRAT. It includes features such as the ability to schedule tasks, download additional malware to the device, and perform malware analysis. 

According to the analysis carried out, it appears that the malware was executed by a human operator who was inexperienced, the number of typos and mistakes that were made indicated a lack of experience. 

During the analysis of the compromised network devices, it was found that several commands were entered manually rather than hardcoded into the compromised network devices. This led to many typos. 

It should be noted that the EarlyRAT implements actions by unskilled humans to reduce errors and typos. To detect weaknesses in compromised devices, certain commands were manually typed rather than hardcoded, which led to typo-induced problems in the network. The operator of a mid-sized network never deployed a proxy service to begin his workday, which resulted in the Lazarus campaign being discovered by the company's security staff. Due to this, their IP address which was assigned to them by North Korea was revealed. 
Share it:

Cyber Alert

Cyberattacks

CyberCrime

Cybersecurity

EarlyRAT

malware