New Malware by Lazarus-Backed Andariel Group Exploits Log4jAPT Group Initiates Malware Infection Through Log4j Vulnerability, Phishing Attacks
Researchers discovered an undisclosed malware family named EarlyRat being used by a branch of the North Korea-backed Lazarus Group. The malware was deployed in Log4j and phishing attacks, marking its first identification in the cybersecurity landscape.
Kaspersky researchers said they stumbled upon the never-before-seen malware family while investigating the group's activity between March and June 2022.
Kaspersky said the advanced persistent threat group Andariel operated for over a decade within Lazarus Group.
Researchers characterized the new RAT as "simple" yet effective. It's fundamental capabilities include command execution and system data collection.
"Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the command-and-control server," Kaspersky said in a new report.
This discovery in an example of the Lazarus Group's agility in swiftly crafting fresh malware to target global organizations.
"The group uses a wide variety of custom tools, constantly updating existing and developing new malware," the researchers said.
One of their key findings is that the command execution was performed by a human operator - presumably one with little experience, as evidenced by numerous mistakes and typos. They also found a version of EarlyRat malware in one of the Log4j cases.
"EarlyRat was downloaded via the Log4j vulnerability, while in others it was discovered that phishing documents ultimately deployed EarlyRat," the report says.
Like many other remote access Trojans, EarlyRat collects system information upon activation and transmits it to the C2 server using a specific template. The transmitted data includes unique machine identifiers and queries that are encrypted using cryptographic keys specified in the ID field.
In terms of functionality, EarlyRat is primarily limited to executing commands. It shares some high-level similarities with MagicRat malware, which was previously deployed by Lazarus Group.
When executing the Log4j exploit, the malware downloads resources from the command-and-control server and ultimately downloads the DTrack backdoor.
In phishing attacks, malicious documents come with disabled macros. Once they have been enabled, a command is executed and the VBA code pings a server associated with the HolyGhost/Maui ransomware campaign.
Jornt van der Wiel, a security researcher on the Global Research and Analysis Team at Kaspersky, said it is common for groups to adopt code from others - even from affiliates who could be considered independent entities - and to switch between different types of malware.
"In the vast landscape of cybercrime, we encounter numerous players and groups that operate with fluid compositions," he said. "Adding to the complexity, subgroups of APT groups, such as Lazarus' Andariel, engage in typical cybercrime activities like deploying ransomware. By focusing on tactics, techniques and procedures, as we did with Andariel, we can significantly reduce attribution time and detect attacks at their early stages."
Stopping these Lazarus-aligned groups is a top priority for the U.S. federal government, which in July 2022 offered a $10 million reward for information about BlueNoroff, Andariel, APT38, Guardians of Peace and Lazarus Group that would lead to the identification of state-sponsored hackers.