The latest research discovered Andariel, a part of the Lazarus group, introduced several new malware families, such as YamaBot and MagicRat, updated versions of NukeSped and DTrack.
Andariel group executed the Maui ransomware attack using the DTrack backdoor by exploiting the Log4j vulnerability to gain access.
US Cybersecurity and Infrastructure Security Agency (CISA) reported that Maui ransomware targets mainly companies and government organizations in the US healthcare sector.
As a result, researchers uncovered a previously undocumented malware family and an addition to Andariel’s set of TTPs.
DTrack Backdoor
Andariel infects Windows machines by executing a Log4j exploit that downloads further malware from the C2 server.
The Andariel group’s primary tool is the long-established malware DTrack. It collects information about a victim and sends it to a remote host.
DTrack collects browser history and saves it to a separate file. The variant used in Andariel attacks sends the harvested information to the cybercriminals’ server via HTTP and stores it on a remote host in the victim’s network.
Kaspersky found most of the commands during the attack was executed manually; it did not leave any ransom notes on victim machines.
Also, it found a set of off-the-shelf tools, Andariel, that were installed and run during the command execution phase and then used for further exploitation of the target. Below are some examples:
- Supremo remote desktop
- 3Proxy
- Powerline
- Putty
- Dumpert
- NTDSDumpEx
- ForkDump
Early RAT
Andariel also uses Early RAT to target the victim machine delivered through phishing emails. The malicious attachment delivers a warning message to the users to enable macros.
Once the user has enabled the macros, it executes a command to ping a server associated with the HolyGhost / Maui ransomware campaign.
EarlyRat, just like many other RATs (remote access Trojans), collects system information upon starting and sends it to the C2 using the following template:
The request has two different parameters: “id” and “query.” Next, the “rep0” and “page” parameters are also supported. They are used in the following cases:
- id: unique ID of the machine used as a cryptographic key to decrypt value from “query”
- query: the actual content. Is Base64 encoded and rolling XORed with the key specified in the “id” field.
- rep0: the value of the current directory
- page: the value of the internal state
There are several high-level similarities between EarlyRat and MagicRat. Both are written using a framework: QT is used for MagicRat and PureBasic, for EarlyRat. Also, the functionality of both RATs is very limited.
Although an APT group, Lazarus is notorious for carrying out traditional cybercrime operations, such as executing ransomware, which complicates the cybercrime scene. The gang also employs various unique tools, frequent updates and creates new viruses.
