North Korean ‘Andariel’ Threat Group Adds New EarlyRAT Malware to Its Phishing Campaign

According to a recent cybersecurity report, Andariel, a part of the state-sponsored Lazarus Threat Group with links to North Korea, has been associated with the discovery of a new malware named ‘EarlyRAT’.

In mid-2022, the threat actor Andariel was known for using the DTrack malware and Maui ransomware. To breach its target’s network, Andariel also exploited the Log4j vulnerability, while introducing several types of new malware, like YamaBot, MagicRat and updated versions of NukeSpeed and DTrack.

EarlyRAT was discovered by Kaspersky in an unrelated investigation while looking into Andariel’s campaign. It was observed that the threat group infected its target’s machine by executing a Log4j exploit, which further downloaded malwares from a C2 (command & control) server.

However, in the case of EarlyRAT, it was seen that the malware was propagated using phishing documents (Microsoft Word). These files used macros to fetch the malware from a server related to the Maui ransomware campaign.

EarlyRAT is a simple remote access trojan, which when executed collects system information and sends it to a C2 server. ‘’In terms of functionality, EarlyRat is very simple. It is capable of executing commands, and that is about the most interesting thing it can do,’’ the report stated. Similarity was also seen between EarlyRAT and MagicRAT. Both have limited functionality and are also written using framework, PureBasic for EarlyRAT and Qt for MagicRAT.

The investigation further revealed that the commands were being executed by an inexperienced human operator, based on the number of mistakes, and typing errors. Moreover, a new attack tactic used by Andariel was also identified, i.e., using a set of off-the-shelf legitimate tools like PuTTY, 3Proxy, ForkDump, NTDSDumpEx, Powerline and SupRemo, among others.

Given that Lazarus and its sub-groups not only engage in APTs but also cybercrimes, like ransomware deployment, it’s imperative to study both complex and simple malwares introduced by this group. By focusing on TTPs (tactics, techniques, and procedures), targeted organizations can pre-empt attacks and deploy ‘’proactive countermeasures to prevent incidents from happening,’’ noted Kaspersky.