North Korean Hacker Group Andariel Strikes with New EarlyRat Malware

The North Korea-aligned threat actor known as Andariel leveraged a previously undocumented malware called EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year.

“Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the command-and-control (C2) server,” Kaspersky said in a new report.

Also called Silent Chollima and Stonefly, Andariel is associated with North Korea’s Lab 110, a primary hacking unit that also houses APT38 (aka BlueNoroff) and other subordinate elements collectively tracked under the umbrella name Lazarus Group.

The threat actor, besides conducting espionage attacks against foreign government and military entities that are of strategic interest, is known to carry out cyber crime as an extra source of income to the sanctions-hit nation.

Some of the key cyber weapons in its arsenal include a ransomware strain referred to as Maui and numerous remote access trojans and backdoors such as Dtrack (aka Valefor and Preft), NukeSped (aka Manuscrypt), MagicRAT, and YamaBot.

NukeSped contains a range of features to create and terminate processes and move, read, and write files on the infected host. The use of NukeSped overlaps with a campaign tracked by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) under the name TraderTraitor.

Andariel’s weaponization of the Log4Shell vulnerability in unpatched VMware Horizon servers was previously documented by AhnLab Security Emergency Response Center (ASEC) and Cisco Talos in 2022.

The latest attack chain discovered by Kaspsersky shows that EarlyRat is propagated by means of phishing emails containing decoy Microsoft Word documents. The files, when opened, prompt the recipients to enable macros, leading to the execution of VBA code responsible for downloading the trojan.

Described as a simple but limited backdoor, EarlyRat is designed to collect and exfiltrate system information to a remote server as well as execute arbitrary commands. It also shares high-level similarities with MagicRAT, not to mention written using a framework called PureBasic. MagicRAT, on the other hand, employs the Qt Framework.

Another characteristic of the intrusion is the use of legitimate off-the-shelf tools like 3Proxy, ForkDump, NTDSDumpEx, Powerline, and PuTTY for further exploitation of the target.

“Despite being an APT group, Lazarus is known for performing typical cyber crime tasks, such as deploying ransomware, which makes the cybercrime landscape more complicated,” Kaspersky said. “Moreover, the group uses a wide variety of custom tools, constantly updating existing and developing new malware.”