Heimdal
article featured image

Contents:

A previously undocumented remote access trojan (RAT) has been discovered by security analysts. Dubbed ‘EarlyRAT’, the trojan is believed to be used by Andariel, a sub-group of the North Korean state-sponsored hacking group Lazarus.

Also known as Stonefly, Andariel is known for employing the DTrack modular backdoor to collect information from compromised systems, such as browsing history, typed data (keylogging), screenshots, running processes, and more.

EarlyRAT Explained: How It Operates?

The group uses EarlyRAT to gather system information from breached devices and send it to the attacker’s C2 (command and control) server.

The malware was discovered while investigating an Andariel campaign from mid-2022, where the threat actors were leveraging Log4Shell to breach corporate networks. Andariel performed network reconnaissance, credential stealing, and lateral movement using open-source tools like 3Proxy, Putty, Dumpert, and Powerline by taking advantage of a vulnerability in the Log4j software.

Additionally, the analysts discovered a phishing document in these assaults that employed macros to retrieve an EarlyRAT payload from a server connected to previous Maui ransomware campaigns.

EarlyRAT is a straightforward program that immediately starts gathering system data and sending it via a POST request to the C2 server.

The execution of commands on the infected system is EarlyRAT’s second main purpose, which might be used to download more payloads, exfiltrate vital information, or interfere with system operations.

According to BleepingComputer, security researchers say that the tool is very similar to another one used by Lazarus, MagicRAT, whose functions include the creation of scheduled tasks and downloading additional malware from the C2.

Based on analyses conducted, the malware seems to be executed by an inexperienced human operator, given the number of mistakes and typos. It was noted that a number of commands were manually entered rather than being hardcoded into the compromised network devices, frequently resulting in typos.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE