The Lazarus group, specifically the Andariel arm, has been discovered to have introduced several new malware families, including YamaBot and MagicRat, along with updated versions of NukeSped and DTrack. The Andariel group has been linked to the execution of the Maui ransomware attack, which exploited the Log4j vulnerability to gain access.
The US Cybersecurity and Infrastructure Security Agency (CISA) has reported that the Maui ransomware primarily targets companies and government organizations within the US healthcare sector. This has led researchers to uncover a previously undocumented malware family and an addition to Andariel’s set of Tactics, Techniques, and Procedures (TTPs).
Andariel infects Windows machines by executing a Log4j exploit that downloads additional malware from the Command and Control (C2) server. The group’s primary tool is the long-established malware DTrack, which collects information about a victim and sends it to a remote host. DTrack also collects browser history and saves it to a separate file. The variant used in Andariel attacks sends the harvested information to the cybercriminals’ server via HTTP and stores it on a remote host within the victim’s network.
Kaspersky has found that most of the commands during the attack were executed manually, leaving no ransom notes on victim machines. The security firm also discovered a set of off-the-shelf tools, Andariel, that were installed and run during the command execution phase and then used for further exploitation of the target. Some examples of these tools include Supremo remote desktop, 3Proxy, Powerline, Putty, Dumpert, NTDSDumpEx, and ForkDump.
Andariel also uses Early RAT to target victim machines, delivered through phishing emails. Once the user enables the macros, it executes a command to ping a server associated with the HolyGhost / Maui ransomware campaign. EarlyRat, like many other RATs (remote access Trojans), collects system information upon starting and sends it to the C2 using a specific template.
There are several high-level similarities between EarlyRat and MagicRat. Both are written using a framework: QT is used for MagicRat and PureBasic for EarlyRat. Also, the functionality of both RATs is very limited.
Although an APT group, Lazarus is notorious for carrying out traditional cybercrime operations, such as executing ransomware, which complicates the cybercrime scene. The gang also employs various unique tools, frequent updates, and creates new viruses. Concentrating on TTPs reduces attribution time and aids in the early detection of attacks. With the aid of this knowledge, preventive efforts can be taken to avert incidents.
The Andariel APT Group uses weaponized Word Documents to drop new malware, adding another layer of complexity to their operations.
