top of page

"Uncovering Andariel's EarlyRat Malware in Log4j Log4Shell Exploits"

The North Korean-linked threat actor, Andariel, has been making headlines recently due to its extensive use of malicious tools in its attacks against foreign government and military entities that are of strategic interest. In a report published by Kaspersky, Andariel is linked to North Korea's Lab 110, a primary hacking unit which is home to APT38 (or BlueNoroff) and other subordinate elements that are collectively tracked under the umbrella name Lazarus Group. One of the tools used by Andariel is a previously undocumented malware called EarlyRat, which exploits the Log4j Log4Shell vulnerability. This malicious code is then used to execute a Log4j exploit, which downloads further malware from the command-and-control (C2) server. It has been speculated that the threat actor is using cyber crime as an extra source of income to the sanctions-hit nation. The security research team has identified a range of malicious tools used by Andariel, including a ransomware strain referred to as Maui and numerous remote access trojans and backdoors such as Dtrack (aka Valefor and Preft), NukeSped (aka Manuscrypt), MagicRAT, and YamaBot. NukeSped is capable of creating and terminating processes and moving, reading, and writing files on the infected host. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have identified a campaign using NukeSped, which they have called TraderTraitor. The campaign is believed to be targeting various nations and appears to be focused on collecting intelligence and gathering sensitive data. It is possible that Andariel is behind this campaign as well, although there is no definitive proof of this. Given the level of sophistication of the malicious tools used by Andariel, it is clear that the threat actor is highly capable and has the capability to launch large-scale cyber attacks. Organizations need to be aware of the threat posed by Andariel and take the necessary steps to protect their systems against such attacks. They should ensure that their systems are regularly patched and updated, that they are using the latest anti-malware and security solutions, and that they are monitoring their networks for any suspicious activity. It is also important for organizations to be aware of the tactics used by Andariel and other malicious actors. By understanding the methods used by these threat actors, organizations can better protect themselves from malicious activity and ensure that their networks remain secure.


bottom of page