Kaspersky uncovers new malware family used by Andariel, Lazarus’ subgroup
During an in-depth malware investigation into the activities of Andariel, a notorious subgroup of Lazarus, Kaspersky researchers discovered a new malware family called EarlyRat, being used alongside Andariel’s known utilization of the DTrack malware and Maui ransomware. The new analysis helps to reduce the time needed for attribution and proactively detect attacks at their early stages.
Andariel, an advanced persistent threat (APT) has operated for more than a decade within Lazarus group, and has been on the radars of Kaspersky researchers. Most recently, they have found Andariel’s campaign and uncovered a previously undocumented malware family identifying its additional tactics, techniques, and procedures (TTPs).
Andariel initiates infections by leveraging a Log4j exploit, which enables the download of additional malware from its command-and-control (C2) infrastructure. Although the initial piece of downloaded malware was not captured, it was observed that the DTrack backdoor was subsequently downloaded shortly after the Log4j exploitation.
A fascinating aspect of the investigation emerged when Kaspersky was able to replicate the command execution process. It became evident that commands within the Andariel’s campaign were being executed by a human operator, presumably one with little experience, as evidenced by the numerous mistakes and typos made. For example, the operator mistakenly wrote “Prorgam” instead of “Program”.
Among the findings, Kaspersky researchers encountered a version of EarlyRat in one of the Log4j cases. In some cases, EarlyRat was downloaded via the Log4j vulnerability, while in others it was discovered that phishing documents ultimately deployed EarlyRat.
An example of phishing document
EarlyRat, like many other Remote Access Trojans (RATs), collects system information upon activation and transmits it to the C2 server using a specific template. The transmitted data includes unique machine identifiers (ID) and queries, which are encrypted using cryptographic keys specified in the ID field.
In terms of functionality, EarlyRat exhibits simplicity, primarily limited to executing commands. Interestingly, EarlyRat shares some high-level similarities with MagicRat – the malware that has been deployed by Lazarus before – such as the utilization of frameworks (QT for MagicRat and PureBasic for EarlyRat) and the restricted functionality of both RATs.
“In the vast landscape of cybercrime, we encounter numerous players and groups that operate with fluid compositions. It is common for groups to adopt code from others, and even affiliates who can be considered as independent entities, switching between different types of malware. Adding to the complexity, subgroups of APT groups, such as Lazarus’ Andariel, engage in typical cybercrime activities like deploying ransomware. By focusing on tactics, techniques, and procedures (TTPs), as we did with Andariel, we can significantly reduce attribution time and detect attacks at their early stages,” comments Jornt van der Wiel, senior security researcher, GReAT at Kaspersky.