Friday, September 13, 2024
HomeMalwareAndariel APT Hackers Drop a New Malware On Windows Via Weaponized MS...

Andariel APT Hackers Drop a New Malware On Windows Via Weaponized MS Word Doc

Published on

The latest research discovered Andariel, a part of the Lazarus group, introduced several new malware families, such as YamaBot and MagicRat, updated versions of NukeSped and DTrack. 

Andariel group executed the Maui ransomware attack using the DTrack backdoor by exploiting the Log4j vulnerability to gain access.

US Cybersecurity and Infrastructure Security Agency (CISA) reported that Maui ransomware targets mainly companies and government organizations in the US healthcare sector.  

- Advertisement - EHA

As a result, researchers uncovered a previously undocumented malware family and an addition to Andariel’s set of TTPs. 

DTrack Backdoor

Andariel infects Windows machines by executing a Log4j exploit that downloads further malware from the C2 server

The Andariel group’s primary tool is the long-established malware DTrack. It collects information about a victim and sends it to a remote host.  

DTrack collects browser history and saves it to a separate file. The variant used in Andariel attacks sends the harvested information to the cybercriminals’ server via HTTP and stores it on a remote host in the victim’s network. 

Kaspersky found most of the commands during the attack was executed manually; it did not leave any ransom notes on victim machines. 

Also, it found a set of off-the-shelf tools, Andariel, that were installed and run during the command execution phase and then used for further exploitation of the target. Below are some examples: 

  • Supremo remote desktop 
  • 3Proxy 
  • Powerline 
  • Putty 
  • Dumpert 
  • NTDSDumpEx 
  • ForkDump 

Early RAT

Andariel also uses Early RAT to target the victim machine delivered through phishing emails. The malicious attachment delivers a warning message to the users to enable macros. 

Once the user has enabled the macros, it executes a command to ping a server associated with the HolyGhost / Maui ransomware campaign. 

EarlyRat, just like many other RATs (remote access Trojans), collects system information upon starting and sends it to the C2 using the following template: 

The request has two different parameters: “id” and “query.” Next, the “rep0” and “page” parameters are also supported. They are used in the following cases: 

  • id: unique ID of the machine used as a cryptographic key to decrypt value from “query” 
  • query: the actual content. Is Base64 encoded and rolling XORed with the key specified in the “id” field. 
  • rep0: the value of the current directory 
  • page: the value of the internal state 

There are several high-level similarities between EarlyRat and MagicRat. Both are written using a framework: QT is used for MagicRat and PureBasic, for EarlyRat. Also, the functionality of both RATs is very limited. 

Although an APT group, Lazarus is notorious for carrying out traditional cybercrime operations, such as executing ransomware, which complicates the cybercrime scene. The gang also employs various unique tools, frequent updates and creates new viruses. 

Concentrating on TTPs reduces attribution time and aids in the early detection of attacks. With the aid of this knowledge, preventive efforts can be taken to avert incidents. Andariel APT Group uses weaponized Word Documents to Drop new Malware.

Look for Best Business Email Protection? Try Trustifi, An AI-Based Email security Solution – .

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Citrix Workspace App Vulnerable to Privilege Escalation Attacks

Citrix released a security bulletin (CTX691485) detailing two critical vulnerabilities in the Citrix Workspace...

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign...

Hackers Exploiting Apache OFBiz RCE Vulnerability in the Wild

A critical vulnerability in the Apache OFBiz framework has been actively exploited by hackers....

Docker Desktop Vulnerabilities Let Attackers Execute Remote Code

Docker has addressed critical vulnerabilities in Docker Desktop that could allow attackers to execute...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

New Loki Backdoor Attacking macOS Systems

Cody Thomas developed Apfell, an open-source macOS post-exploitation framework, in 2018 and evolved into...

Threat Actors Using New Malware Toolkit That Involves IIS Backdoor, DNS Tunneling

The Iranian threat actor APT34, also known as GreenBug, has recently launched a new...

Beware Of Malicious Chrome Extension That Delivers Weaponized ZIP Archive

In August 2024, researchers detected a malicious Google Chrome browser infection that led to...