EarlyRat Malware Family
admin 9 months ago
admin #news

EarlyRat : Hidden Malware Family Exposed By North Korean Hackers

Kaspersky Lab researchers have uncovered a previously undocumented malware family and identified operational errors committed by Andariel, a faction of the North Korean Lazarus Group. Kaspersky Lab, in its report, analyzed the tactics of the Andariel group and identified a new threat called "EarlyRat".

The Andariel group is known for using DTrack malware and Maui ransomware. Andariel first gained attention in mid-2022. Using the Log4Shell vulnerability, Andariel delivered various families of malware to target devices, including YamaBot and MagicRat, as well as updated versions of NukeSped and DTrack.


An investigation by Kaspersky Lab showed that Andariel initiates the infection by executing a Log4Shell exploit that downloads additional malware from a command and control server ( C2 server ).


It is noteworthy that the researchers observed the execution of commands by a human operator and noted numerous errors and typos, suggesting that an inexperienced attacker was behind the operation.


The researchers also identified a new malware family called EarlyRat. Initially, it was assumed that EarlyRat samples were downloaded via Log4Shell, but further analysis showed that phishing documents were the main delivery mechanism for EarlyRat.


EarlyRat, like many other remote access trojans ( RAT ), upon activation collects system information and transmits it to the C2 server in a specific pattern. The transmitted data includes unique computer identifiers (IDs) and requests that are encrypted using the cryptographic keys specified in the ID field.


In terms of functionality, EarlyRat is simple, mostly limited to executing commands. Interestingly, EarlyRat shares some common similarities with the Lazarus MagicRat malware. Similarities lie in the use of frameworks (QT for MagicRat and PureBasic for EarlyRat) and the limited functionality of both RAT Trojans.


MagicRAT was first seen on victim networks using VMware Horizon servers connected to the internet. According to the researchers, the Trojan was created using the Qt framework to make analysis more difficult and less likely to be detected by security systems.


To gain a foothold in the system, the Trojan creates scheduled tasks. The functionality of MagicRat is quite simple - the malware provides attackers with a remote shell that allows them to execute arbitrary commands and manipulate the victim's files.

0
448
How Hackers Bypass Google Play Protect On Android

How Hackers Bypass Google Play Protect On Android

1673775682.png
admin
1 year ago
Android malware uses versioning to bypass Play Store scanners

Android malware uses versioning to bypass Play Store scanners

1673775682.png
admin
8 months ago
BlackLotus: A Powerful UEFI Bootkit for Windows [Download]

BlackLotus: A Powerful UEFI Bootkit for Windows [Download]

1673775682.png
admin
9 months ago
Mockingjay: Bypass EDR Obstacles And Executes Malicious Code

Mockingjay: Bypass EDR Obstacles And Executes Malicious Code

1673775682.png
admin
9 months ago
Stealthy New Trojan SeroXen RAT Bypasses Antiviruses and Gives Hackers Full Access to Targeted Computers

Stealthy New Trojan SeroXen RAT Bypasses Antiviruses and Gives Hackers...

1673775682.png
admin
10 months ago