Security News > 2023 > June > New EarlyRAT malware linked to North Korean Andariel hacking group

New EarlyRAT malware linked to North Korean Andariel hacking group
2023-06-29 17:39

Security analysts have discovered a previously undocumented remote access trojan named 'EarlyRAT,' used by Andariel, a sub-group of the Lazarus North Korean state-sponsored hacking group.

In a more recent report from WithSecure, it was discovered that a North Korean group using a newer variant of DTrack, possibly Andariel, gathered valuable intellectual property for two months.

The hacking group uses EarlyRAT to collect system information from the breached devices and send it to the attacker's C2 server.

Kaspersky discovered EarlyRAT while investigating an Andariel campaign from mid-2022, where the threat actors were leveraging Log4Shell to breach corporate networks.

Kaspersky does not elaborate on that front but says that EarlyRAT is very similar to MagicRAT, another tool used by Lazarus, whose functions include the creation of scheduled tasks and downloading additional malware from the C2. The researchers say that the examined EarlyRAT activities seemed to be executed by an inexperienced human operator, given the number of mistakes and typos.

Similar carelessness uncovered a Lazarus campaign to WithSecure's analysts last year, who saw an operator of the group forget to use a proxy at the start of their workday and expose their North Korean IP address.


News URL

https://www.bleepingcomputer.com/news/security/new-earlyrat-malware-linked-to-north-korean-andariel-hacking-group/