New EarlyRAT malware linked to North Korean Andariel hacking group

Security analysts have discovered a previously undocumented remote access trojan (RAT) named 'EarlyRAT,' used by Andariel, a sub-group of the Lazarus North Korean state-sponsored hacking group.

Andariel (aka Stonefly) is believed to be part of the Lazarus hacking group known for employing the DTrack modular backdoor to collect information from compromised systems, such as browsing history, typed data (keylogging), screenshots, running processes, and more.

In a more recent report from WithSecure, it was discovered that a North Korean group using a newer variant of DTrack, possibly Andariel, gathered valuable intellectual property for two months.

Kaspersky has also linked Andariel to Maui ransomware deployments in Russia, India, and Southeast Asia, so the threat group often focuses on generating revenue.

The hacking group uses EarlyRAT to collect system information from the breached devices and send it to the attacker's C2 (command and control) server.

The discovery of the RAT, which comes from Kaspersky, adds another piece to the group's arsenal puzzle and helps defenders detect and stop associated intrusions.

EarlyRAT

Kaspersky discovered EarlyRAT while investigating an Andariel campaign from mid-2022, where the threat actors were leveraging Log4Shell to breach corporate networks.

By exploiting the flaw in Log4j software, Andariel downloaded off-the-shelf tools like 3Proxy, Putty, Dumpert, and Powerline to perform network reconnaissance, credential stealing, and lateral movement.

The analysts also noticed a phishing document in these attacks, which used macros to fetch an EarlyRAT payload from a server associated with past Maui ransomware campaigns.

EarlyRAT is a simple tool that, upon launch, collects system information and sends it to the C2 server via a POST request.



EarlyRAT's POST request (Kaspersky)