Researchers have discovered a new remote access trojan (RAT) called EarlyRat that has been used by North Korean threat actors in attacks that exploit the Log4j vulnerability in phishing campaigns.
The researchers at Kaspersky are credited for identifying the new malware and attribute the EarlyRat trojan to the advanced persistent threat (APT) group Andariel (also known as Stonefly) - a subgroup of North Korean state-sponsored threat operation Lazarus.
“While on an unrelated investigation recently, we stumbled upon this campaign and decided to dig a little bit deeper,” the Kaspersky researchers said in a research note outlining their findings posted on Wednesday.
“We discovered a previously undocumented malware family (EarlyRat) and an addition to Andariel’s set of TTPs (tactics, techniques, and procedures).”
They said there were several high-level similarities between EarlyRat and MagicRat. “Both are written using a framework: QT is used for MagicRat and PureBasic, for EarlyRat. Also, the functionality of both RATs is very limited.”
The researchers said Andariel infected machines by executing a Log4j exploit, which, in turn, downloaded further malware from the threat group’s command-and-control server.
APT unmasked via 'fat finger' mistakes
Kaspersky also found evidence Andariel was using phishing documents, as well as the Log4j vulnerability, in an attempt to drop EarlyRat on targeted systems.
“Unfortunately, we were unable to catch the first piece of malware they downloaded, but we did see that exploitation was closely followed by the DTrack backdoor being downloaded,” they wrote.
Kaspersky established Andariel used a number of off-the-shelf tools that installed and ran during the command execution phase of their attacks, including SupRemo remote desktop, universal proxy server 3Proxy, and open source terminal emulator application Putty.
The researchers were able to reproduce the commands the attackers executed and discovered the attacks “were run by a human operator, and judging by the amount of mistakes and typos, likely an inexperienced one.” In one command line the operator misspelled “Program”.
“Another funny moment was when the operators realized they were in a system that used the Portuguese locale. This took surprisingly long,” they wrote.
New Malware Underwhelms
The phishing file the group used was “not that advanced”: a Word document purportedly from the “Microsoft Office Team” asking the user to enable macros on the application they were using. Many threat groups have stopped attempting to use macros to distribute payloads after Microsoft began blocking them by default on many of its Office applications.
As well as the methods used by Andariel to drop EarlyRat on targets’ systems being unsophisticated, the malware itself lacked the complexity often associated with Lazarus’ campaigns.
“In terms of functionality, EarlyRat is very simple. It is capable of executing commands, and that is about the most interesting thing it can do,” the researchers said.
Even though the malware was not complicated, it was worth investigating, researchers said, given that Lazarus and its subgroups were not only involved in APT activities, but also “typical cybercrime tasks, such as deploying ransomware” using a wide variety of tools that were constantly evolving.
“Focusing on TTPs as we did with Andariel helps to minimize attribution time and detect attacks in their early stages. This information can also help in taking proactive countermeasures to prevent incidents from happening.”
Lazarus and Andariel were both sanctioned by the U.S. Office of Foreign Assets Control in 2019 for carrying out ransomware attacks on the Swift interbank messaging system and other critical infrastructure targets that raised funds for North Korea’s weapons and missile programs.
While levying sanctions against the rogue state’s cyber threat entities is unlikely to act as a deterrent, and is considered to be a mainly symbolic gesture, it does enable the federal government to seize any U.S.-based assets it discovers belonging to the groups.