{"id":110119,"date":"2023-06-28T10:00:24","date_gmt":"2023-06-28T10:00:24","guid":{"rendered":"https:\/\/kasperskycontenthub.com\/securelist\/?p=110119"},"modified":"2023-06-28T14:56:14","modified_gmt":"2023-06-28T14:56:14","slug":"lazarus-andariel-mistakes-and-easyrat","status":"publish","type":"post","link":"https:\/\/securelist.com\/lazarus-andariel-mistakes-and-easyrat\/110119\/","title":{"rendered":"Andariel’s silly mistakes and a new malware family"},"content":{"rendered":"

Introduction<\/h2>\n

Andariel, a part of the notorious Lazarus group, is known for its use of the DTrack malware and <\/a>Maui ransomware<\/a> in mid-2022. During the same period, Andariel also actively exploited the Log4j vulnerability as reported by Talos<\/a> and Ahnlab<\/a>. Their campaign introduced several new malware families, such as YamaBot and MagicRat, but also updated versions of NukeSped and, of course, DTrack.<\/p>\n

While on an unrelated investigation recently, we stumbled upon this campaign and decided to dig a little bit deeper. We discovered a previously undocumented malware family and an addition to Andariel’s set of TTPs.<\/p>\n

From initial infection to fat fingers<\/h2>\n

Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the C2 server. Unfortunately, we were unable to catch the first piece of malware they downloaded, but we did see that exploitation was closely followed by the DTrack backdoor being downloaded.<\/p>\n

From this point on, things got rather interesting, as we were able to reproduce the commands the attackers executed. It quickly became clear that the commands were run by a human operator, and judging by the amount of mistakes and typos, likely an inexperienced one. For example:<\/p>\n

\"\"<\/a><\/p>\n

Note how “Program” is misspelled as “Prorgam” . Another funny moment was when the operators realized they were in a system that used the Portuguese locale. This took surprisingly long: they only learned after executing cmd.\u0435xe \/c net localgroup as you can see below:<\/p>\n

\"\"<\/a><\/p>\n

We were also able to identify the set of off-the-shelf tools Andariel that installed and ran during the command execution phase, and then used for further exploitation of the target. Below are some examples:<\/p>\n