A recent research study has uncovered new insights into the activities of the Andariel group, a subset of the infamous Lazarus group. The findings reveal that Andariel has introduced multiple new malware families, including YamaBot and MagicRat, as well as updated versions of NukeSped and DTrack.
One of the notable attacks attributed to Andariel is the Maui ransomware attack, which utilized the DTrack backdoor. In this attack, the group took advantage of the Log4j vulnerability to gain unauthorized access. The Log4j vulnerability has been a major concern in the cybersecurity community due to its potential for abuse by threat actors.
The US Cybersecurity and Infrastructure Security Agency (CISA) has reported that the Maui ransomware primarily targets companies and government organizations in the US healthcare sector. This highlights the potential impact on critical infrastructure and the need for robust cybersecurity measures in these sectors.
The research also revealed the existence of a previously undocumented malware family and additional tactics, techniques, and procedures (TTPs) employed by the Andariel group. The group infects Windows machines by exploiting the Log4j vulnerability and then downloads further malware from their command and control (C2) server.
The primary tool utilized by the Andariel group is the DTrack malware. This malware collects information about the victim’s system and sends it to a remote host controlled by the threat actors. The collected data includes browser history, which is saved to a separate file. In the case of Andariel attacks, the harvested information is sent to the cybercriminals’ server via HTTP and stored on a remote host within the victim’s network.
Interestingly, the research indicates that most of the commands executed during the attack were carried out manually by the threat actors. This suggests a high level of sophistication and adaptability on the part of the Andariel group. It is also worth noting that no ransom notes were found on the victim machines, further indicating the unique nature of this group’s operations.
The researchers also discovered a set of off-the-shelf tools used by Andariel for further exploitation of their targets. These tools include Supremo remote desktop, 3Proxy, Powerline, Putty, Dumpert, NTDSDumpEx, and ForkDump. This highlights the group’s reliance on readily available tools to carry out their attacks.
Another malware employed by the Andariel group is Early RAT, which is delivered to victim machines through phishing emails. The malicious attachments in these emails contain warning messages that urge users to enable macros. Once macros are enabled, a command is executed to ping a server associated with the HolyGhost / Maui ransomware campaign.
EarlyRat, like many other remote access Trojans (RATs), collects system information upon execution and sends it to the C2 server. The RAT uses a specific template for sending this information, which includes parameters such as “id,” “query,” “rep0,” and “page.” The researchers also noted similarities between EarlyRat and MagicRat in terms of the framework used and limited functionality.
The Lazarus group, of which Andariel is a part, is known for conducting traditional cybercrime operations, including executing ransomware attacks. This adds another layer of complexity to the cybersecurity landscape, as the group frequently updates its tools and creates new viruses. Understanding the tactics, techniques, and procedures used by these groups is crucial for early detection and prevention of attacks.
In conclusion, the latest research provides valuable insights into the activities of the Andariel group, a subset of the Lazarus group. The group has introduced new malware families and employed various TTPs in their attacks, including the exploitation of the Log4j vulnerability. The findings highlight the need for robust cybersecurity measures, particularly in critical sectors such as healthcare. By understanding the tools and techniques used by threat actors like Andariel, organizations can strengthen their defenses and mitigate the risk of cyberattacks.