During an in-depth malware investigation into the activities of Andariel, a notorious subgroup of Lazarus, Kaspersky researchers discovered a new malware family called EarlyRat, being used alongside Andariel’s known utilisation of the DTrack malware and Maui ransomware. The new analysis helps to reduce the time needed for attribution and proactively detect attacks at their early stages.
Andariel, an advanced persistent threat (APT) has operated for more than a decade within Lazarus group and has been on the radars of Kaspersky researchers. Most recently, they have found Andariel’s campaign and uncovered a previously undocumented malware family identifying its additional tactics, techniques, and procedures (TTPs).
Andariel initiates infections by leveraging a Log4j exploit, which enables the download of additional malware from its command-and-control (C2) infrastructure. Although the initial piece of downloaded malware was not captured, it was observed that the DTrack backdoor was subsequently downloaded shortly after the Log4j exploitation.
A fascinating aspect of the investigation emerged when Kaspersky was able to replicate the command execution process. It became evident that commands within the Andariel’s campaign were being executed by a human operator, presumably one with little experience, as evidenced by the numerous mistakes and typos made. For example, the operator mistakenly wrote “Prorgam” instead of “Program”.
Among the findings, Kaspersky researchers encountered a version of EarlyRat in one of the Log4j cases. In some cases, EarlyRat was downloaded via the Log4j vulnerability, while in others it was discovered that phishing documents ultimately deployed EarlyRat.
An example of phishing document
EarlyRat, like many other Remote Access Trojans (RATs), collects system information upon activation and transmits it to the C2 server using a specific template. The transmitted data includes unique machine identifiers (ID) and queries, which are encrypted using cryptographic keys specified in the ID field.
In terms of functionality, EarlyRat exhibits simplicity, primarily limited to executing commands. Interestingly, EarlyRat shares some high-level similarities with MagicRat – the malware that has been deployed by Lazarus before – such as the utilisation of frameworks (QT for MagicRat and PureBasic for EarlyRat) and the restricted functionality of both RATs.
“In the vast landscape of cybercrime, we encounter numerous players and groups that operate with fluid compositions. It is common for groups to adopt code from others, and even affiliates who can be considered as independent entities, switching between different types of malware. Adding to the complexity, subgroups of APT groups, such as Lazarus’ Andariel, engage in typical cybercrime activities like deploying ransomware. By focusing on tactics, techniques, and procedures (TTPs), as we did with Andariel, we can significantly reduce attribution time and detect attacks at their early stages,” comments Jornt van der Wiel, senior security researcher, GReAT at Kaspersky.
For more details on the Andariel campaign, including technical analysis and comprehensive findings, visit Securelist.com.
To avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
- Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years.
- Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts
- For endpoint level detection, investigation, and the timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform
- As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform