HQ/EMEAFind out how we can help your business
Andariel, a Lazarus North Korean threat group sub-group, has allegedly used the previously unknown remote access trojan, EarlyRAT malware, in their recent campaign. Based on reports, the attackers are notorious for adopting the DTrack modular backdoor to harvest data from infected systems, such as browsing history, screenshots, running processes, and typed data.
A more recent report also discovered that the North Korean group has possibly used the latest variant of DTrack to collect valuable intellectual property for two months. However, the group has shifted to using the EarlyRAT to gather system information from the infected devices and exfiltrate it to an attacker-controlled command-and-control server.
The discovery of the RAT allowed the researchers to gather more details about the North Korean group since they have been compromising different entities for the past month.
The EarlyRAT malware initially appeared during the rise of the Log4Shell exploit.
Researchers explained that they found the EarlyRAT malware while investigating Andariel during its exploitation of the Log4Shell vulnerability to breach targeted networks.
The Andariel operators downloaded off-the-shelf tools, such as Putty, Dumpert, 3Proxy, and Powerline, by exploiting the bug in Log4j software. The strategy allowed them to execute network reconnaissance, lateral movement, and credential stealing.
In addition, the researchers noticed a phishing document in the campaigns. The documents are macro files that could fetch the EarlyRAT payload from a server associated with another ransomware group.
EarlyRAT is a straightforward malicious tool that could harvest system information and sends it to the attacker’s C2 server through a POST request. However, the researchers also explained that the RAT has a secondary function, which could execute commands on the compromised system. Still, they have yet to discover further details about the ability.
Experts claim that inexperienced human operators pilot the new EarlyRAT incidents since it poses several typos and mistakes in its coding. These mistakes also appeared in a Lazarus campaign against a security analyst last year. The investigation showed that the attack operators may have omitted to use a proxy at the beginning of their workday and exposed their North Korean IP address.
These errors imply that the group are currently improving their tools. Therefore, researchers should keep an eye on this newly discovered malware.
