North Korean ‘Andariel’ Threat Group Adds New EarlyRAT Malware to Its Phishing Campaign
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
In mid-2022, the threat actor Andariel was known for using the DTrack malware and Maui ransomware. To breach its target’s network, Andariel also exploited the Log4j vulnerability, while introducing several types of new malware, like YamaBot, MagicRat and updated versions of NukeSpeed and DTrack.
EarlyRAT was discovered by Kaspersky in an unrelated investigation while looking into Andariel’s campaign. It was observed that the threat group infected its target’s machine by executing a Log4j exploit, which further downloaded malwares from a C2 (command & control) server.
However, in the case of EarlyRAT, it was seen that the malware was propagated using phishing documents (Microsoft Word). These files used macros to fetch the malware from a server related to the Maui ransomware campaign.
EarlyRAT is a simple remote access trojan , which when executed collects system information and sends it to a C2 server. ‘’In terms of functionality, EarlyRat is very simple. It is capable of executing commands, and that is about the most interesting thing it can do,’’ the report stated. Similarity was also seen between EarlyRAT and MagicRAT. Both have limited functionality and are also written using framework, PureBasic for EarlyRAT and Qt for MagicRAT.
The investigation further revealed that the commands were being executed by an inexperienced human operator, based on the number of mistakes, and typing errors. Moreover, a new attack tactic used by Andariel was also identified, i.e., using a set of off-the-shelf legitimate tools like PuTTY, 3Proxy, ForkDump, NTDSDumpEx, Powerline and SupRemo, among others.
Given that Lazarus and its sub-groups not only engage in APTs but also cybercrimes, like ransomware deployment, it’s imperative to study both complex and simple malwares introduced by this group. By focusing on TTPs (tactics, techniques, and procedures), targeted organizations can pre-empt attacks and deploy ‘’proactive countermeasures to prevent incidents from happening,’’ noted Kaspersky.
LetMeSpy Reports Massive Data Theft in Recent Attack by Hackers
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
A popular Android phone tracking app, LetMeSpy in a statement disclosed a data breach incident that allowed an unauthorized third-party to steal sensitive information of thousands of users.
The security breach occurred in late June 2023, when an unknown hacker compromised the spyware’s network system and exfiltrated email addresses, phone numbers, call logs, messages, and location information of its website users.
On discovering the incident, the company immediately informed the concerned law enforcement and Polish data protection authority, UODO. As a containment measure, LetMeSpy has suspended all account-related activities (website and app). The threat actor as well as their motive behind the attack remains unknown.
In January 2023, the data on LetMeSpy’s website revealed that its app had been used to track 236,322 phones worldwide. It had collected more than 63.5 million text messages, 39.7 million call logs, and 43.2 million locations.
The data breach was first reported by a Polish security research blog Niebezpiecznik. In addition to analyzing the stolen data that included information on thousands of users, the researchers also reached out to LetMeSpy for confirmation, but the response came from the hackers instead. They claimed to have taken over the spymaker’s domain and reportedly deleted the databases stored on the server.
Moreover, TechCrunch’s analysis of the leaked information revealed that the stolen user records date back to 2013, when LetMeSpy was first launched. It also contained information on nearly 13,000 compromised devices and 13,400 locations of thousands of victims. The location points revealed that the majority of victims were from the US, India, and Western Africa.
