North Korea-linked threat actor known as Andariel exploited a previously undocumented piece of malware called early rat In an attack that exploited the Log4j Log4Shell vulnerability last year.
“Andariel infects machines by running a Log4j exploit, which downloads further malware from command and control (C2) servers,” Kaspersky said in a new report.
Andariel, also known as Silent Chollima or Stonefly, is associated with Lab 110 in North Korea. Lab 110 is the primary hacking force that also houses APT38 (aka BlueNoroff) and other sub-elements collectively tracked under the umbrella name of the Lazarus Group.
This actor is known to carry out espionage attacks against strategically important foreign governments and military organizations, as well as to carry out cybercrime as an additional source of income for sanctioned countries.
The company’s major cyberweapon stock includes a ransomware strain called Maui and a number of remote access Trojans and backdoors such as Dtrack (aka Valefor and Preft), NukeSped (aka Manuscrypt), MagicRAT and yamaBot. will be
NukeSped includes various functions to create and terminate processes, move, read and write files on infected hosts. The use of NukeSped overlaps with a campaign tracked by the US Cybersecurity and Infrastructure Security Agency (CISA) under the name TraderTraitor.
Andariel’s weaponization of the Log4Shell vulnerability in an unpatched VMware Horizon server was previously documented by the AhnLab Security Emergency Response Center (ASEC) and Cisco Talos in 2022.
The latest attack chain discovered by Kaspsersky shows that EarlyRat is spread by phishing emails containing decoy Microsoft Word documents. When opened, the file prompts the recipient to enable macros and executes VBA code that causes a Trojan download.
Described as a simple but limited backdoor, EarlyRat is designed to gather system information and exfiltrate it to remote servers to execute arbitrary commands. It also shares high-level similarities with MagicRAT, not to mention being written using a framework called PureBasic. MagicRAT, on the other hand, adopts the Qt framework.
Another feature of this intrusion is the use of legitimate off-the-shelf tools such as 3Proxy, ForkDump, NTDSDumpEx, Powerline and PuTTY to further exploit its targets.
“Despite being an APT group, Lazarus is known to perform typical cybercrime tasks such as deploying ransomware, which makes the cybercrime landscape more complicated,” Kaspersky said. . “Additionally, this group uses a variety of custom tools to constantly update existing malware and develop new ones.”
