Attacks by Lazarus sub-group involve novel EarlyRAT malware

BleepingComputer reports that Andariel, a sub-group of North Korean state-sponsored hacking operation Lazarus Group, has leveraged the newly discovered EarlyRAT malware in attacks abusing the Log4Shell vulnerability last year. Network reconnaissance, credential theft, and lateral movement activities following Log4Shell exploitation were facilitated by Andariel, also known as Stonefly, through the Powerline, Putty, Dunpert, and 3Proxy tools, while macros in the operation's phishing document enabled EarlyRAT payload retrieval from a server previously used in Maui ransomware campaigns, according to a Kaspersky report. Further analysis revealed that aside from delivering gathered system information to the command-and-control server, the malware also enabled command execution to allow additional payload downloads and data exfiltration, as well as system disruptions. Significant similarities have also been found between EarlyRAT and Lazarus' MagicRAT tool, said researchers, who noted the prevalence of mistakes and typographical errors in the commands of EarlyRAT, indicating that the malware may have been managed by an inexperienced operator.