Researchers found a previously undocumented malware family called EarlyRAT that was being deployed by a subgroup of the North Korean-backed Lazarus Group in Log4j and phishing attacks last year.
The known subgroup of Lazarus, called Andariel, was previously observed targeting VMware Horizon servers vulnerable to the Log4j flaw throughout 2022 in order to deploy new malware including MagicRAT and updated versions of NukeSped. Researchers at Cisco Talos, Symantec and Ahnlab closely documented this activity, but researchers with Kaspersky on Wednesday said that they separately investigated the group’s activity between March and June 2022 and found it deploying a never-before-seen malware family.
Though researchers said the new RAT is “very simple,” with basic functionalities for executing commands and collecting system information, it serves as another example of the Lazarus Group’s ability to rapidly develop new malware to target organizations worldwide.
“Despite being an APT group, Lazarus Group is known for performing typical cybercrime tasks, such as deploying ransomware, which makes the cybercrime landscape more complicated,” said researchers with Kaspersky in a Wednesday analysis. “Moreover, the group uses a wide variety of custom tools, constantly updating existing and developing new malware.”
Researchers found the malware being deployed via both Log4j exploits and through phishing emails. After the initial exploit, threat actors downloaded a mystery malware from the command-and-control (C2) server, which researchers said they were unable to further investigate. This malware then executed DTrack, a backdoor widely used by the Lazarus Group over the past three years.
The attackers also used an array of off-the-shelf tools and abused various services for further exploitation, including the SupRemo remote desktop, the 3Proxy universal proxy server and the Putty open source terminal emulator application.
Researchers said that EarlyRAT is reminiscent at a high level of the Lazarus Group’s MagicRAT malware family previously uncovered by Cisco Talos researchers, as both RATs have limited functionality and are written using frameworks (MagicRAT was written using the QT framework, a programming library for developing graphical user interfaces, while EarlyRAT was written using the PureBasic framework for the BASIC programming language).
Andariel, which has conducted both destructive and financially motivated cyberattacks since at least 2009, is one of the subgroups under the Lazarus Group umbrella. Overall, several different threat actors have been associated with North Korean state-sponsored campaigns beyond Lazarus, including Kimsuky, known for launching cyber-espionage operations since 2012, and APT37, which has attacked victims with information to support North Korea’s various national interests since 2012.
Interestingly, the campaign included several blunders that indicated a lack of sophistication on the part of the operator. For instance, the commands executed in the attacks included spelling mistakes, and the attackers took “surprisingly long” to learn that they were in a system in the Portuguese locale, researchers noted. In addition, the phishing emails in the campaign were not advanced and requested the targets enable macros, which is notable because many cybercriminals have switched to other options - like XLL files, ISO images and MSI files - after Microsoft blocked macros by default for several Office applications.
“Andariel is quite active during their waves of attacks,” said Jornt van der Wiel, senior security researcher with GReAT at Kaspersky. “The fact that they made silly mistakes indicates that the operators were most likely beginners or were recently recruited. On the other hand, other subgroups within Lazarus work meticulously, for example to pull off the Bangladesh bank heist.”