Researchers uncovered a previously undocumented malware family, exposing manipulation errors by Andariel, a group of North Korean threat actors known as the Lazarus Group.
Kaspersky explained the findings in an advisory published today, analyzing the group’s tactics and uncovering the emergence of a new threat dubbed “EarlyRat.”
“In the vast landscape of cybercrime, we encounter many players and groups operating in a fluid composition,” said Jort van der Wiel, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT). I am commenting.
“It is common for groups to switch between different types of malware while adopting code from other organizations or affiliates that are considered independent entities.”
Read more about North Korean hackers: US rewards doubled for information on North Korean hackers
Andariel group is known for using DTrack malware and Maui ransomware. It first attracted attention in mid-2022.
Exploiting Log4j vulnerabilities, Andariel introduced various malware families such as yamaBot and MagicRat, along with updated versions of NukeSped and DTrack.
Kaspersky researchers discovered Andariel’s campaign during an unrelated investigation and decided to investigate further.
Investigation revealed that Andariel initiated the infection by running a Log4j exploit and downloaded additional malware from command and control (C2) servers.
In particular, researchers observed a human operator executing commands and noticed numerous mistakes and typos, suggesting an inexperienced individual was behind the operation.
Researchers have also identified a new malware family known as EarlyRat. Initially thought to be downloaded via Log4j, further analysis revealed that EarlyRat’s primary delivery mechanism was phishing documents.
Classified as a Remote Access Trojan (RAT), this malware gathers system information and uses specific templates to communicate with its C2 server.
“Subgroups of the APT group, such as Andariel from Lazarus, are engaged in typical cybercriminal activities such as deploying ransomware,” van der Wier explained.
“By focusing on Tactics, Techniques and Procedures (TTP), as we did with Andariel, we can significantly reduce the time it takes to identify an attack and detect it at an early stage.”
Kaspersky’s recommendations come weeks after blockchain analytics firm Elliptic implicated the Lazarus Group in the Atomic Wallet heist.
