Description
A new Malware called EarlyRAT has been discovered, and it is linked to a previously unknown remote access trojan (RAT) employed by Andariel, a sub-group of the North Korean state-sponsored hacker outfit Lazarus. Andariel (aka Stonefly) is thought to be a member of the Lazarus hacking gang, which is notorious for using the DTrack modular backdoor to collect data from hacked systems such as browsing history, typed data (keylogging), screenshots, running processes, and other information.
Details
Andariel attacks machines by exploiting a vulnerability in Log4j software, after which they begin downloading further malware from their C2 server. DTrack backdoor is listed as one of the malwares downloaded.
Andariel used open-source technologies such as 3Proxy, Putty, Dumpert, and Powerline to conduct network reconnaissance, credential stealing, and lateral movement. In addition, a phishing document was discovered in these assaults, the phishing document employed macros to retrieve the EarlyRAT payload from a server related to the previous Maui ransomware campaigns.
EarlyRAT is a basic tool that collects system information and sends it to the C2 server via a POST request when launched. EarlyRAT”s second primary function is to execute commands on the compromised machine, that is to download further payloads, exfiltrate valuable data, or disrupt system functions. EarlyRAT is extremely similar to MagicRAT, another tool used by Lazarus that creates scheduled actions and downloads further malware from the C2.
Given the frequency of errors and typos, it appeared that EarlyRAT actions were carried out by an unskilled human operator. It was discovered that certain commands executed on the compromised network devices were manually typed rather than hardcoded, resulting in typo-induced problems. Last year, a Lazarus campaign was discovered due to the operator”s failure to deploy a proxy at the start of their workday, exposing their North Korean IP address.
Remediation
Be wary of phishing emails and suspicious links or attachments. If you believe you were impacted by this malware campaign, it is vital that you scan your computer for malware immediately and remove anything malicious in nature that is found.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: A-new-malware-strain-called-EarlyRAT-has-been-linked-to-the-North-Korean-hacking-group-Andariel.pdf
References
GReAT. (2023, June 28). Andariels silly mistakes and a new malware family. Retrieved from securelist.com.
https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/
Toulas, B. (2023, June 29). New EarlyRAT malware linked to North Korean Andariel hacking group. Retrieved from BleepingComputer.
https://www.bleepingcomputer.com/news/security/new-earlyrat-malware-linked-to-north-korean-andariel-hacking-group/