Kaspersky uncovers new malware family used by Andariel, Lazarus’ subgroup
During an in-depth malware investigation into the activities of Andariel, a notorious subgroup of Lazarus, Kaspersky researchers discovered a new malware family called EarlyRat, being used alongside Andariel’s known utilization of the DTrack malware and Maui ransomware. The new analysis helps to reduce the time needed for attribution and proactively detect attacks at their early stages.
Andariel, an advanced persistent threat (APT) has operated for more than a decade within Lazarus group, and has been on the radars of Kaspersky researchers. Most recently, they have found Andariel’s campaign and uncovered a previously undocumented malware family identifying its additional tactics, techniques, and procedures (TTPs).
Andariel initiates infections by leveraging a Log4j exploit, which enables the download of additional malware from its command-and-control (C2) infrastructure. Although the initial piece of downloaded malware was not captured, it was observed that the DTrack backdoor was subsequently downloaded shortly after the Log4j exploitation.
A fascinating aspect of the investigation emerged when Kaspersky was able to replicate the command execution process. It became evident that commands within the Andariel’s campaign were being executed by a human operator, presumably one with little experience, as evidenced by the numerous mistakes and typos made. For example, the operator mistakenly wrote “Prorgam” instead of “Program”.
Among the findings, Kaspersky researchers encountered a version of EarlyRat in one of the Log4j cases. In some cases, EarlyRat was downloaded via the Log4j vulnerability, while in others it was discovered that phishing documents ultimately deployed EarlyRat.
An example of phishing document
EarlyRat, like many other Remote Access Trojans (RATs), collects system information upon activation and transmits it to the C2 server using a specific template. The transmitted data includes unique machine identifiers (ID) and queries, which are encrypted using cryptographic keys specified in the ID field.
In terms of functionality, EarlyRat exhibits simplicity, primarily limited to executing commands. Interestingly, EarlyRat shares some high-level similarities with MagicRat – the malware that has been deployed by Lazarus before – such as the utilization of frameworks (QT for MagicRat and PureBasic for EarlyRat) and the restricted functionality of both RATs.
“In the vast landscape of cybercrime, we encounter numerous players and groups that operate with fluid compositions. It is common for groups to adopt code from others, and even affiliates who can be considered as independent entities, switching between different types of malware. Adding to the complexity, subgroups of APT groups, such as Lazarus’ Andariel, engage in typical cybercrime activities like deploying ransomware. By focusing on tactics, techniques, and procedures (TTPs), as we did with Andariel, we can significantly reduce attribution time and detect attacks at their early stages,” comments Jornt van der Wiel, senior security researcher, GReAT at Kaspersky.
For more details on the Andariel campaign, including technical analysis and comprehensive findings, visit Securelist.com
To avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
· Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years.
· Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts
· For endpoint level detection, investigation, and the timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response
· In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform
· As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform
About Kaspersky
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and specialized security solutions and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help over 220,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
Kaspersky uncovers new malware family used by Andariel, Lazarus’ subgroup
Kaspersky
Related Articles Virus News
Global mobile banking malware grows 32 percent in 2023
Kaspersky has released its annual Financial Threats Report for 2023, offering a detailed analysis of the evolving financial cyberthreat landscape. The report reveals significant increases in mobile banking malware and cryptocurrency-related phishing, signaling growing threats to digital financial assets.Read More >Turkey, Russia, Southeast Asia and Latin America hit by Android threats, Kaspersky identifies
Three new dangerous Android malware variants have been analyzed by Kaspersky researchers. The Tambir, Dwphon, and Gigabud malicious programs exhibit diverse features, ranging from downloading other programs and credential theft to bypassing two-factor authentication (2FA) and screen recording, jeopardizing user privacy and security.Read More >Targeted ransomware groups have grown in numbers and sophistication, say Kaspersky experts
An in-depth research by Kaspersky experts shows a surge in the number of targeted ransomware groups globally by 30% from 2022 to 2023. In parallel to this increase, the number of victims of targeted ransomware attacks spiked by 70% within the same time period. These insights were shared at Kaspersky’s ninth annual Cyber Security Weekend – META, which took place in Kuala Lumpur.Read More >
We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.