North Korean hacker bug reveals new EarlyRat malware family
The experts showed how the new Trojan spreads and what connections it has with the Lazarus Group.
Kaspersky Lab researchers have uncovered a previously undocumented malware family and identified operational errors committed by Andariel, a faction of the North Korean Lazarus Group. “Kaspersky Lab” in your report analyzed the tactics of the Andariel group and identified a new threat called “EarlyRat”.
The Andariel group is known for using DTrack malware And Maui ransomware . Andariel first gained attention in mid-2022. Exploiting a vulnerability Log4ShellAndariel delivered to target devices p Various families of malware including YamaBot and Magic Rat as well as updated versions NukeSped and DTrack.
An investigation by Kaspersky Lab showed that Andariel initiates the infection by executing a Log4Shell exploit that downloads additional malware from a command and control server (C2 server).
It is noteworthy that the researchers observed the execution of commands by a human operator and noted numerous errors and typos, suggesting that an inexperienced attacker was behind the operation.
The researchers also identified a new malware family called EarlyRat. Initially, it was assumed that EarlyRat samples were downloaded via Log4Shell, but further analysis showed that phishing documents were the main delivery mechanism for EarlyRat.
EarlyRat, like many other remote access trojans (RAT), when activated, collects system information and transmits it to the C2 server according to a specific template. The transmitted data includes unique computer identifiers (IDs) and requests that are encrypted using the cryptographic keys specified in the ID field.
In terms of functionality, EarlyRat is simple, mostly limited to executing commands. Interestingly, EarlyRat shares some common similarities with the Lazarus MagicRat malware. The similarities lie in the use of frameworks (QT for MagicRat and PureBasic for EarlyRat) and the limited functionality of both RAT Trojans.
First MagicRAT was seen in the nets of the victims that used internet-connected VMware Horizon servers. According to the researchers, the Trojan was created using the Qt framework to make analysis more difficult and less likely to be detected by security systems.
To gain a foothold in the system, the Trojan creates scheduled tasks. The functionality of MagicRat is quite simple – the malware provides attackers with a remote shell that allows them to execute arbitrary commands and manipulate the victim’s files.