EarlyRat Malware

Cybersecurity researchers have noticed that the threat actor Andariel, associated with North Korea, has expanded its arsenal by utilizing a newly discovered malware called EarlyRat. The previously unknown malicious tool has been deployed by the threat actors in phishing campaigns. This addition further enhances Andariel's extensive range of tools and tactics.

To infect targeted machines, the Andariel cybercriminals take advantage of a Log4j exploit, leveraging vulnerabilities in the Log4j logging library. Through this exploit, the threat actor gains access to the compromised system and proceeds to download additional malware from the Command-and-Control (C2) server of the attack operation.

Andariel is Connected to Other North Korean Hacker Groups

Andariel, also known by the aliases Silent Chollima and Stonefly, operates under the umbrella of the Lazarus Group alongside other subordinate elements such as APT38 (aka BlueNoroff). This threat actor is also associated with Lab 110, a prominent hacking unit based in North Korea.

Andariel's activities encompass a range of operations, including espionage targeting foreign government and military entities of strategic interest. Additionally, the group engages in cybercrime activities to generate supplemental income for the nation, which is under heavy sanctions.

The arsenal of Andariel comprises various cyber weapons, including the notorious Maui Ransomware. Additionally, the group utilizes numerous remote access Trojans and backdoors, such as Dtrack (also known as Valefor and Preft), NukeSped (aka Manuscrypt), MagicRAT and YamaBot.

NukeSped, in particular, possesses a wide array of capabilities that enable it to create and terminate processes, as well as manipulate files on the compromised host. Notably, the usage of NukeSped overlaps with a campaign known as TraderTraitor, which has been tracked by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Andariel's exploitation of the Log4Shell vulnerability in unpatched VMware Horizon servers was previously documented by AhnLab Security Emergency Response Center (ASEC) and Cisco Talos in 2022, highlighting the group's ongoing efforts to weaponize emerging vulnerabilities.

EarlyRat Collects Information and Executes Intrusive Commands on the Breached Devices

The EarlyRat malware spreads through phishing emails that contain deceptive Microsoft Word documents. Upon opening these files, recipients are prompted to enable macros, triggering the execution of the VBA code responsible for downloading the threat.

EarlyRat is characterized as a straightforward yet limited backdoor, designed to gather and transmit system information to a remote server. Additionally, it has the capability to execute arbitrary commands. Notably, there are notable resemblances between EarlyRat and MagicRAT, despite being written using different frameworks. EarlyRat utilizes PureBasic, while MagicRAT employs the Qt Framework.

In the context of attacks exploiting the Log4j Log4Shell vulnerability observed in the previous year, a previously unseen tactic has now emerged. Attackers have been observed making use of legitimate off-the-shelf tools, such as 3Proxy, ForkDump, NTDSDumpEx, Powerline, and PuTTY, to exploit their targets and compromised devices further. This approach allows them to leverage existing tools for their malicious activities, increasing the sophistication and potential impact of the attacks.