Human Error Highlights a North Korean Intrusion

Category: Threat Actor Activity | Industry: Global | Source: Kaspersky

A network intrusion attributed to Andariel, a sub-group of the North Korea Lazarus group, was observed by researchers at Kaspersky. The intrusion was initiated by exploiting the Log4Shell vulnerability (CVE-2021-44228). Although the initial malware deployed by Andariel operators was not captured, researchers observed their hands-on-keyboard activity, which revealed operational mistakes, including typos, while navigating directories on the compromised Windows host. Kaspersky noted, "Another funny moment was when the operators realized they were in a system that used the Portuguese locale. This took surprisingly long: they only learned after executing cmd.еxe /c net localgroup."

During the investigation of Andariel, Kaspersky also discovered a new remote access trojan known as "EarlyRAT." Initially, it was assumed that the RAT was dropped following the exploitation of Log4j. However, further analysis revealed that EarlyRAT was mainly distributed through a phishing document. Kaspersky found similarities between EarlyRAT and another Lazarus remote access trojan called MagicRAT.  EarlyRAT's features were found to be "very simple," as its remote command execution capabilities were the only notable features called out by Kaspersky.

‍