Skip to main content

Kaspersky uncovers new malware family used by Lazarus subgroup Andariel

June 28, 2023

 Woburn, MA – June 28, 2023 – During an in-depth malware investigation into the activities of Andariel, a notorious subgroup of Lazarus, Kaspersky researchers discovered a new malware family, called EarlyRat, being used alongside Andariel’s DTrack malware and Maui ransomware.

Andariel, an advanced persistent threat (APT), has operated for more than a decade within Lazarus group, and has been on the radar of Kaspersky researchers. The experts recently uncovered a campaign involving a previously undocumented malware family, and identified its additional tactics, techniques, and procedures (TTPs). The new analysis will help reduce the time needed for attribution and proactively detect attacks at their early stages.  

Andariel initiates infections by leveraging a Log4j exploit, which enables the download of additional malware from its command-and-control (C2) infrastructure. Although the initial piece of downloaded malware was not captured, it was observed that the DTrack backdoor was subsequently downloaded shortly after the Log4j exploitation.

The researchers made a notable finding when they replicated the command execution process. It became evident that commands within the Andariel’s campaign were being executed by a human operator, presumably one with little experience, as evidenced by numerous mistakes and typos. For example, the operator mistakenly wrote “Prorgam” instead of “Program.”

Kaspersky researchers encountered a version of EarlyRat in one of the Log4j cases. In some cases, EarlyRat was downloaded via the Log4j vulnerability, while in others it was discovered that phishing documents ultimately deployed EarlyRat.  

EarlyRat, like many other Remote Access Trojans (RATs), collects system information upon activation and transmits it to the C2 server using a specific template. The transmitted data includes unique machine identifiers (ID) and queries, which are encrypted using cryptographic keys specified in the ID field.

In terms of functionality, EarlyRat exhibits simplicity, primarily limited to executing commands. Interestingly, EarlyRat shares some high-level similarities with MagicRat – the malware that has been deployed by Lazarus before – such as the utilization of frameworks (QT for MagicRat and PureBasic for EarlyRat) and the restricted functionality of both RATs.

“In the vast landscape of cybercrime, we encounter numerous players and groups that operate with fluid compositions,” said Jornt van der Wiel, senior security researcher, GReAT at Kaspersky. “It is common for groups to adopt code from others, and even affiliates who can be considered as independent entities, switching between different types of malware. Adding to the complexity, subgroups of APT groups, such as Lazarus’ Andariel, engage in typical cybercrime activities like deploying ransomware. By focusing on tactics, techniques, and procedures (TTPs), as we did with Andariel, we can significantly reduce attribution time and detect attacks at their early stages.”

For more details on the Andariel campaign, including technical analysis and comprehensive findings, visit Securelist.com.

To avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

·       Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years.

·       Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.

·       For endpoint level detection, investigation, and the timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.

·       In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.

·       As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and specialized security solutions and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help over 220,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Media Contact

Sawyer Van Horn

sawyer.vanhorn@Kaspersky.com

(781) 503-1866

Kaspersky uncovers new malware family used by Lazarus subgroup Andariel

Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases