The North Korea-aligned threat actor known as
Andariel leveraged a previously undocumented malware called
EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. "Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the command-and-control (C2) server," Kaspersky
said in a new report.
Also called Silent Chollima and Stonefly, Andariel is associated with North Korea's Lab 110, a primary hacking unit that also houses
APT38 (aka BlueNoroff) and other subordinate elements collectively tracked under the umbrella name
Lazarus Group. The threat actor, besides conducting espionage attacks against foreign government and military entities that are of strategic interest, is known to
carry out cyber crime as an extra source of income to the sanctions-hit nation.
The latest attack chain discovered by Kaspsersky shows that EarlyRat is propagated by means of phishing emails containing decoy Microsoft Word documents. The files, when opened, prompt the recipients to enable macros, leading to the execution of VBA code responsible for downloading the trojan.
