New EarlyRAT malware linked to North Korean Andariel hacking group

Security analysts have discovered a previously undocumented remote access trojan (RAT) named 'EarlyRAT,' used by Andariel, a sub-group of the Lazarus North Korean state-sponsored hacking group.

Andariel (aka Stonefly) is believed to be part of the Lazarus hacking group known for employing the DTrack modular backdoor to collect information from compromised systems, such as browsing history, typed data (keylogging), screenshots, running processes, and more.

In a more recent report from WithSecure, it was discovered that a North Korean group using a newer variant of DTrack, possibly Andariel, gathered valuable intellectual property for two months.

Kaspersky has also linked Andariel to Maui ransomware deployments in Russia, India, and Southeast Asia, so the threat group often focuses on generating revenue.

The hacking group uses EarlyRAT to collect system information from the breached devices and send it to the attacker's C2 (command and control) server.

The discovery of the RAT, which comes from Kaspersky, adds another piece to the group's arsenal puzzle and helps defenders detect and stop associated intrusions.

EarlyRAT

Kaspersky discovered EarlyRAT while investigating an Andariel campaign from mid-2022, where the threat actors were leveraging Log4Shell to breach corporate networks.

By exploiting the flaw in Log4j software, Andariel downloaded off-the-shelf tools like 3Proxy, Putty, Dumpert, and Powerline to perform network reconnaissance, credential stealing, and lateral movement.

The analysts also noticed a phishing document in these attacks, which used macros to fetch an EarlyRAT payload from a server associated with past Maui ransomware campaigns.

EarlyRAT is a simple tool that, upon launch, collects system information and sends it to the C2 server via a POST request.

The second primary function of EarlyRAT is to execute commands on the infected system, possibly to download additional payloads, exfiltrate valuable data, or disrupt system operations.

Kaspersky does not elaborate on that front but says that EarlyRAT is very similar to MagicRAT, another tool used by Lazarus, whose functions include the creation of scheduled tasks and downloading additional malware from the C2.

The researchers say that the examined EarlyRAT activities seemed to be executed by an inexperienced human operator, given the number of mistakes and typos.

It was observed that various commands executed on the breached network devices were manually typed and not hardcoded, often leading to typo-induced errors.

Similar carelessness uncovered a Lazarus campaign to WithSecure's analysts last year, who saw an operator of the group forget to use a proxy at the start of their workday and expose their North Korean IP address.