New EarlyRAT Malware Linked to North Korean Andariel Hacking Group
Cyber Security Threat Summary:
“Security analysts have discovered a previously undocumented remote access trojan (RAT) named 'EarlyRAT,' used by Andariel, a sub-group of the Lazarus North Korean state-sponsored hacking group. Andariel (aka Stonefly) is believed to be part of the Lazarus hacking group known for employing the DTrack modular backdoor to collect information from compromised systems, such as browsing history, typed data (keylogging), screenshots, running processes, and more” (Bleeping Computer, 2023).
Research from WithSecure and Kaspersky claims a North Korean group, possible Andariel is using a newer variant of DTrack to gather intellectual property. The hacking group is using a piece of malware called EarlyRAT to collect system information from victim devices which is sent back to the attacker’s command and control server.
Security Officer Comments:
Kaspersky discovered EarlyRAT while investigating an Andariel campaign from mid-2022, where the threat actors were leveraging Log4Shell to breach corporate networks. After exploiting flaws in Log4Shell, Andariel downloads off-the-shelf-tools like 3Proxy, Putty, Dumpert, and Powerline to perform network reconnaissance, steal credentials, and move laterally through the network. The analysts also noticed a phishing document in these attacks, which used macros to fetch an EarlyRAT payload from a server associated with past Maui ransomware campaigns.
EarlyRAT is fairly simple, upon execution it will begin collecting system information to send to the attackers C2 server via POST requests. Next it can execute commands on the infected system, download additional payloads, exfiltrate data, or even disrupt system operations. Kaspersky says EarlyRAT is similar to another tool used by North Korea’s Lazarus group called MagicRAT. Both tools have functions to create scheduled tasks and download additional malware from the attacker controlled C2 server.
“The researchers say that the examined EarlyRAT activities seemed to be executed by an inexperienced human operator, given the number of mistakes and typos. It was observed that various commands executed on the breached network devices were manually typed and not hardcoded, often leading to typo-induced errors. Similar carelessness uncovered a Lazarus campaign to WithSecure's analysts last year, who saw an operator of the group forget to use a proxy at the start of their workday and expose their North Korean IP address” (Bleeping Computer, 2023).
Suggested Correction(s):
While it’s unclear what initial access vectors or vulnerabilities are being used to get EarlyRAT installed on machines, the researchers did note that a phishing document was associated with attacks.
- Do not open emails or download software from untrusted sources
- Do not click on links or attachments in emails that come from unknown senders
- Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
- Always verify the email sender's email address, name, and domain
- Backup important files frequently and store them separately from the main system
- Protect devices using antivirus, anti-spam and anti-spyware software
- Report phishing emails to the appropriate security or I.T. staff immediately
https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/ https://www.bleepingcomputer.com/ne...inked-to-north-korean-andariel-hacking-group/