“Andreal infects machines by executing the Log4J exploit, which in turn downloads further malware from command-and-control (C2) servers,” Kaspersky said in a new report.
Also called Silent Cholima and Stonefly, Andarial is linked to North Korea’s Lab 110, a primary hacking unit that also includes APT38 (aka Bluenoroff) and other subordinate elements that are collectively tracked under the name Lazarus Group.
The threat actor is known to conduct cybercrime as an additional source of income for the sanctions-affected nation, in addition to conducting espionage attacks against foreign government and military entities of strategic interest.
Some of the major cyber-weapons in its arsenal include a ransomware strain called Maui, and several remote access trojans and backdoors such as Dtrack (aka Valephor and Preft), NukeSpeed (aka Manuscript), MagicRAT, and Yamabot.
NukeSped includes a range of features for creating and terminating processes and for transferring, reading and writing files on infected hosts. The use of NukeSped overlaps with a campaign tracked by the US Cybersecurity and Infrastructure Security Agency (CISA) under the name TraderTraitor.
Andarial’s weaponization of the log4shell vulnerability in unpatched VMware Horizon servers was first documented in 2022 by the AhnLabs Security Emergency Response Center (ASEC) and Cisco Talos.
The latest attack chain discovered by Kaspersky shows that EarlyRat is promoted via phishing emails that contain fake Microsoft Word documents. The files, when opened, prompt recipients to enable macros, thereby executing the VBA code responsible for downloading the Trojan.
Described as a simple but limited backdoor, EarlyRat is designed to execute arbitrary commands as well as collect and spit out system information on a remote server. It also shares high-level similarities with MagicRAT, not to mention being written using a framework called PureBasic. MagicRAT, on the other hand, uses the Qt framework.
Another overlooked tactic seen in attacks exploiting the Log4j Log4Shell vulnerability in the last year relates to the use of legitimate off-the-shelf tools such as 3Proxy, ForkDump, NTDSDumpEx, Powerline and PuTTY for further exploitation of the target.
“Despite being an APT group, Lazarus is known to perform specific cybercrime tasks, such as deploying ransomware, which further complicates the cybercrime landscape,” Kaspersky said. “In addition, the group uses a variety of custom tools, constantly updating existing ones and developing new malware.”