The North Korea-aligned menace actor acknowledged as Andariel leveraged a previously undocumented malware named EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability past year.
“Andariel infects devices by executing a Log4j exploit, which, in switch, downloads even more malware from the command-and-command (C2) server,” Kaspersky explained in a new report.
Also termed Silent Chollima and Stonefly, Andariel is related with North Korea’s Lab 110, a main hacking unit that also residences APT38 (aka BlueNoroff) and other subordinate features collectively tracked below the umbrella name Lazarus Group.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The risk actor, moreover conducting espionage attacks versus overseas federal government and army entities that are of strategic fascination, is recognized to carry out cyber crime as an further supply of cash flow to the sanctions-hit country.
Some of the critical cyber weapons in its arsenal involve a ransomware pressure referred to as Maui and various distant access trojans and backdoors these as Dtrack (aka Valefor and Preft), NukeSped (aka Manuscrypt), MagicRAT, and YamaBot.
NukeSped includes a array of features to make and terminate procedures and move, browse, and produce files on the infected host. The use of NukeSped overlaps with a campaign tracked by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) underneath the title TraderTraitor.
Andariel’s weaponization of the Log4Shell vulnerability in unpatched VMware Horizon servers was previously documented by AhnLab Security Emergency Reaction Center (ASEC) and Cisco Talos in 2022.
The latest attack chain uncovered by Kaspsersky displays that EarlyRat is propagated by signifies of phishing e-mails containing decoy Microsoft Word files. The data files, when opened, prompt the recipients to allow macros, major to the execution of VBA code responsible for downloading the trojan.
Described as a simple but limited backdoor, EarlyRat is created to obtain and exfiltrate technique information and facts to a distant server as perfectly as execute arbitrary commands. It also shares higher-degree similarities with MagicRAT, not to mention penned applying a framework referred to as PureBasic. MagicRAT, on the other hand, employs the Qt Framework.
A different characteristic of the intrusion is the use of genuine off-the-shelf instruments like 3Proxy, ForkDump, NTDSDumpEx, Powerline, and PuTTY for additional exploitation of the target.
“Irrespective of currently being an APT team, Lazarus is known for performing common cyber criminal offense duties, this sort of as deploying ransomware, which will make the cybercrime landscape much more sophisticated,” Kaspersky claimed. “Furthermore, the group takes advantage of a wide wide range of tailor made equipment, continually updating current and developing new malware.”
Uncovered this article appealing? Stick to us on Twitter and LinkedIn to study additional special written content we publish.
Some pieces of this short article are sourced from:
thehackernews.com