Sunday, December 8, 2024
HomeMalwareAndariel APT Hackers Drop a New Malware On Windows Via Weaponized MS...

Andariel APT Hackers Drop a New Malware On Windows Via Weaponized MS Word Doc

Published on

SIEM as a Service

The latest research discovered Andariel, a part of the Lazarus group, introduced several new malware families, such as YamaBot and MagicRat, updated versions of NukeSped and DTrack. 

Andariel group executed the Maui ransomware attack using the DTrack backdoor by exploiting the Log4j vulnerability to gain access.

US Cybersecurity and Infrastructure Security Agency (CISA) reported that Maui ransomware targets mainly companies and government organizations in the US healthcare sector.  

- Advertisement - SIEM as a Service

As a result, researchers uncovered a previously undocumented malware family and an addition to Andariel’s set of TTPs. 

DTrack Backdoor

Andariel infects Windows machines by executing a Log4j exploit that downloads further malware from the C2 server

The Andariel group’s primary tool is the long-established malware DTrack. It collects information about a victim and sends it to a remote host.  

DTrack collects browser history and saves it to a separate file. The variant used in Andariel attacks sends the harvested information to the cybercriminals’ server via HTTP and stores it on a remote host in the victim’s network. 

Kaspersky found most of the commands during the attack was executed manually; it did not leave any ransom notes on victim machines. 

Also, it found a set of off-the-shelf tools, Andariel, that were installed and run during the command execution phase and then used for further exploitation of the target. Below are some examples: 

  • Supremo remote desktop 
  • 3Proxy 
  • Powerline 
  • Putty 
  • Dumpert 
  • NTDSDumpEx 
  • ForkDump 

Early RAT

Andariel also uses Early RAT to target the victim machine delivered through phishing emails. The malicious attachment delivers a warning message to the users to enable macros. 

Once the user has enabled the macros, it executes a command to ping a server associated with the HolyGhost / Maui ransomware campaign. 

EarlyRat, just like many other RATs (remote access Trojans), collects system information upon starting and sends it to the C2 using the following template: 

The request has two different parameters: “id” and “query.” Next, the “rep0” and “page” parameters are also supported. They are used in the following cases: 

  • id: unique ID of the machine used as a cryptographic key to decrypt value from “query” 
  • query: the actual content. Is Base64 encoded and rolling XORed with the key specified in the “id” field. 
  • rep0: the value of the current directory 
  • page: the value of the internal state 

There are several high-level similarities between EarlyRat and MagicRat. Both are written using a framework: QT is used for MagicRat and PureBasic, for EarlyRat. Also, the functionality of both RATs is very limited. 

Although an APT group, Lazarus is notorious for carrying out traditional cybercrime operations, such as executing ransomware, which complicates the cybercrime scene. The gang also employs various unique tools, frequent updates and creates new viruses. 

Concentrating on TTPs reduces attribution time and aids in the early detection of attacks. With the aid of this knowledge, preventive efforts can be taken to avert incidents. Andariel APT Group uses weaponized Word Documents to Drop new Malware.

Look for Best Business Email Protection? Try Trustifi, An AI-Based Email security Solution – .

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...