Posted on June 29, 2023 at 9:15 PM

Andariel Hackers Leverage EarlyRat Malware To Run Hacking Campaigns

Andariel, a threat actor group based in North Korea, has leveraged the EarlyRat malware to conduct phishing campaigns. EarlyRat is a malware that has not been previously documented. The malware adds to the number of tools that are being used by this threat actor group to conduct hacking campaigns.

Andariel uses EarlyRat malware to run a phishing campaign

A report that was published by Kaspersky researchers noted that the Andariel malware can be used to infect machines by exploiting Log4j, which is later used to download additional malware from the command-and-control (C2) server.

The Kaspersky researchers said, “Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the C2 server. Unfortunately, we were unable to catch the piece of malware they downloaded, but we did see that exploitation was closely followed by the DTrack backdoor being downloaded.”

The Andariel hacker group is also known as Silent Chollima or Stonefly. The malware is linked with the North Korean hacking group known as Lab 110. The latter is a hacking unit that also backed the APT38 hacker group, also known as BlueNoroff. The attributes of the hacker group are similar to those of other organizations that operate under the Lazarus Group umbrella.

The Andariel hacker group has been conducting espionage campaigns targeting foreign governments and military organizations. The attacks launched by the group usually serve a strategic interest. The group, alongside the others that are part of the Lazarus organization, is believed to engage in cybercrime to secure funds needed to support North Korea.

Some of the tools that are used by this hacker group include a ransomware strain that is known as Maui. It also used a wide range of remote access trojans and backdoors like Dtrack, NukeSped, MagicRAT, and YamaBot to run these hacking campaigns.

NukeSped is a remote access trojan and backdoor that contains a variety of features needed to create and end processes. The tool is also used to read, write and move files on the infected host.

The use of the NukeSped malware to run hacking campaigns for the North Korean hacker group aligns with a previous report shared by the US Cybersecurity and Infrastructure Security Agency (CISA). The CISA report had referred to the malware as TraderTraitor.

The weaponization strategy used in the case of the Andariel malware involves weaponizing the Log4Shell flaw in unpatched VMware Horizon servers. The flaw was previously documented by the AhnLab Security Emergency Response Center (ASEC) and Cisco Talos last year.

EarlyRat malware is hidden in files to conduct phishing campaigns

The latest attack chain detected by the Kaspersky researchers detects that the EarlyRat malware is spread through phishing emails that contain documents that have been published in Microsoft Word.

When the compromised files have been opened on the targeted device, it will result in the recipients enabling macros. It will also lead to the execution of the VBA code that is used to download the trojan, which will result in a hacking campaign on the targeted device.

EarlyRat has been described as a simple and limited backdoor. This malware has been designed to gather and exfiltrate system information to a remote server. It is also used to run arbitrary commands on the targeted victims.

The backdoor also supports the sharing of high-level similarities alongside MagicRAT. The malware is also written through a framework that is known as PureBasic. On the other hand, MagicRAT depends upon the Qt Framework to conduct hacking campaigns.

The other unobserved tactics that have been used in conducting these attacks to exploit the Log4j Log4Shell vulnerability in 2022 relate to the use of some legitimate tools, which makes the process of detecting these malware campaigns challenging and nearly impossible. 

Some of the legitimate off-the-shelf tools that are used to conduct these hacking campaigns include 3Proxy, Powerline, PuTTY, ForkDump, and NTDSDumpEx. Such tools are used to conduct further exploitation on the targeted device.

The report that was published by Kaspersky said that while Lazarus is known as an APT group, it is used to conduct a wide range of hacking campaigns, including deploying ransomware on the targeted device. As such, the modus operandi of the group makes the process of detecting cybercrime activity more complicated.

The researchers also noted that the hacker group used a wide range of custom tools. It also updated the existing and developing new malware. This process made it challenging for cybersecurity researchers and antivirus to detect hacking campaigns.