CTI Roundup: North Korean Andariel Group Strikes With EarlyRat Malware

Up first in this week’s roundup, CTI explores the 8Base ransomware group and its recent spike in activity. Next, CTI investigates Volt Typhoon — a China-linked advanced persistent threat (APT) group that employs novel tradecraft to access target networks. Finally, CTI investigates a new report revealing how Andariel, a North Korea-backed threat actor, deployed a previously unknown malware last year in cyberattacks exploiting the Log4j Log4Shell vulnerability.

8Base ransomware spikes in activity, threatens US and Brazilian businesses

VMware’s Threat Analysis Unit has released its analysis of the 8Base ransomware group, attributing a massive spike in activity in May and June of this year to the gang.

Here are some key takeaways from the report:

• It appears that 8Base is the continuation of a more mature ransomware group, rather than a new operation. This is due to similarities observed in the tactics used in recent 8Base ransomware attacks.
• The 8Base ransomware group, which describes itself as “simple pen testers,” has been active since March 2022 but only launched its data leak site in May of 2023. The group rapidly increased its number of attacks in May, listing about 30 victims on its leak site for the month, compared to less than five the month prior.
• The newly discovered ransomware gang was responsible for roughly 15% of all ransomware attacks in May 2023. To put this number in perspective, the notorious LockBit group was responsible for 18% of ransomware attacks that same month.
• According to Malwarebytes and NCC group, 8Base has been linked to a total of 67 attacks as of May 2023. Of these attacks, roughly 50% of the victims were in the business services, manufacturing, and financial sectors.
• 8Base appears to predominantly target small and medium-sized businesses (SMBs), with most of the victims being in the US and Brazil.

8Base and RansomHouse: What’s the connection?

VMware noticed significant similarities between this operation and the RansomHouse cybercrime operation. However, it’s important to keep in mind that RansomHouse uses several different types of ransomware, all of which are available on the dark web. The group does not have its own signature ransomware.

Researchers identified a 99% match in the linguistics contained in the ransom notes distributed by these groups. They also conducted a side-by-side comparison of each group’s leak site, and again found the language to be nearly identical. Further, the welcome pages, terms of service, and FAQ pages for both leak sites were copied word for word.

Researchers found only two major differences while comparing the two threat groups. The first key difference is that RansomHouse advertises its partnerships and actively recruits for partnerships, and 8Base does not. The second key difference has to do with the layout and design of the leak pages themselves.

8Base and Phobos ransomware

While researchers were searching for a sample of ransomware from the 8Base ransom group, they came across a Phobos ransomware sample that uses the .8base file extension for its encrypted files.

A deeper dive revealed that 8Base was using Phobos version 2.9.1 loaded with SmokeLoader. Since Phobos operates as ransomware-as-a-service (RaaS), it is not surprising that this occurred. Threat actors can customize pieces of the ransomware to their own needs, as is likely the case here.

While 8Base added customization with the .8base file extension, the format of the entire appended portion was the same as Phobos. It included an ID section, email address, and file extension.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Even though LockBit and Cl0p seem to be dominating the ransomware space lately, 8Base seems to be rising up to the challenge. In fact, the group cracked the top two ransom groups over the past 30 days.”

“Unfortunately, there is not much public information available about the group’s methodologies, tactics, or underlying motivations.”

VMware sums up their thoughts around the group:

We can only speculate at this time that they are using several different types of ransomware – either as earlier variants or as part of their normal operating procedures. What we do know is that this group is highly active and targets smaller businesses.

“Even with little known about the group, so far, 8Base remains one of the top active ransomware operations of the summer.”

2. China-linked APT Volt Typhoon uses novel tradecraft to access target networks

Researchers at CrowdStrike claim to have observed the China-linked advanced persistent threat (APT) group tracked as Volt Typhoon using novel tradecraft to gain initial access to target networks.

CrowdStrike’s Falcon Complete managed detection and response (MDR) team cites a recent Volt Typhoon incident to which the team responded, following a detection triggered by suspicious reconnaissance commands.

What is Volt Typhoon?

Volt Typhoon is a state-sponsored threat actor based in China. This advanced APT group typically engages in cyberespionage and information gathering in support of intelligence requirements (IRs) which align with Chinese state interests.

Initial publicly available reporting on the actor highlights Volt Typhoon’s virtually exclusive use of living-off-the-land techniques (LotL) and frequent use of hands-on-keyboard activity in a bid to evade detection whenever possible.

Volt Typhoon has reportedly been active since mid-2021. It targets entities across a wide range of critical sectors, including government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.

A report from Microsoft, in coordination with various multi-national cybersecurity agencies, says that Volt Typhoon’s recent cyberespionage campaigns consist of stealthy and targeted attacks, which Microsoft says are “focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States.”

Volt Typhoon’s latest operations

Volt Typhoon was recently observed using ManageEngine Self-service Plus exploits to gain initial access, after which the attackers would rely upon custom webshells to aid in the facilitation of persistent access, and LotL techniques to enable lateral movement.

CrowdStrike’s Falcon Complete team, in combination with the firm’s Falcon OverWatch threat hunting team, responded to a detection triggered by suspicious reconnaissance commands executed with an Apache Tomcat web server running ManageEngine ADSelfService Plus.

From CrowdStrike:

The malicious activity detailed in the detection included listing processes, network connectivity testing, gathering user and group information, mounting shares, enumeration of domain trust over WMI, and listing DNS zones over WMI. VANGUARD PANDA’s [referred to herein as Volt Typhoon – Tanium CTI] actions indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for WMI.

During the investigation that took place after CrowdStrike’s notification of the reconnaissance activity, the incident response team swiftly contained the compromised host, effectively isolating it and preventing the adversary from any further interaction with the compromised host.

Additional tradecraft observed

While all the tactics, techniques, and procedures (TTPs) associated with the exploitation of CVE-2021-40593 were observed during this incident, the expected log artifacts that would definitively confirm the attackers’ exploitation of this particular CVE were absent.

This may be evidence of Volt Typhoon’s efforts to avoid detection and prevent any post-mortem analysis of its activity.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“CTI maintains an active interest in Volt Typhoon and is always on the lookout for reliable reports which detail evolutions and improvements upon the actor’s methodology and TTPs.”

“CrowdStrike’s observation of never-before-documented Volt Typhoon TTPs is valuable, actionable intelligence that may be put to use defending organizations against this threat, and those that leverage similar tactics.”

3. North Korean hacker group Andariel strikes with new EarlyRat malware

A new report posted to Kaspersky’s SecureList blog reveals that the North Korea-backed threat actor tracked as Andariel deployed a previously unknown malware — dubbed EarlyRat — last year in cyberattacks exploiting the Log4j Log4Shell vulnerability.

SecureList’s researchers stumbled upon the campaign during a recent investigation, and, after further analysis, discovered both the aforementioned undocumented malware family, as well as additions to Andariel’s set of tactics, techniques, and procedures (TTPs).

A closer look at Andariel

Andariel, which is also tracked as Silent Chollima and Stonefly, is believed to be a sub-group of North Korea’s notorious Lazarus Group APT actor.

In addition to engaging in cyberespionage operations targeting foreign government and military entities of strategic interest to North Korea, Andariel conducts cybercrime campaigns to generate revenue and support the oft-sanctioned nation’s struggling economy and military operations.

As described by an article on the subject published by The Hacker News, some of the key weapons in Andariel’s arsenal include a ransomware strain referred to as Maui and numerous remote access trojans and backdoors such as Dtrack (Valefor and Preft), NukeSped (Manuscrypt), MagicRAT, and YamaBot.

The threat actor’s weaponization of the Log4Shell vulnerability was previously documented by AhnLab Security Emergency Response Center (ASEC) and Cisco Talos in response to its attacks on unpatched VMWare Horizon servers in 2022.

Newly documented activity

According to the SecureList report, Andariel was observed infecting machines once again by executing a Log4j exploit, which also resulted in the download of further malware from the command-and-control (C2) server.

While Kaspersky’s researchers were unable to observe the first piece of malware downloaded by the actor, they were able to observe that exploitation of the vulnerability was followed closely by the download of the group’s DTrack backdoor.

Kaspersky’s researchers were able to reproduce the commands executed by the attackers, a fact that immediately made it clear that the commands were being run by a human operator — as evidenced by the numerous mistakes and typos they observed.

Off-the-shelf tool usage

Kaspersky’s researchers were also able to identify the range of off-the-shelf tools installed and deployed by Andariel operators during the command execution phase; these tools were also later used for further exploitation of the target.

The following are some examples:

• Supremo remote desktop
• 3Proxy
• Powerline
• Putty
• Dumpert
• NTDSDumpEx
• ForkDump

EarlyRat: An introduction

As stated in the SecureList report, Kaspersky’s researchers first observed a version of EarlyRat during the investigation of one of the Log4j incidents attributed to Andariel.

At the time, the assumption was made that the malware was downloaded via Log4j. However, a hunt for additional samples resulted in the discovery of phishing documents — the ultimate purpose of which was to drop EarlyRat onto compromised devices.

What’s interesting is that the phishing emails in the campaign are not very advanced. What’s more, the phishing documents also request that the targets enable macros, which is notable because many cybercriminals have switched to other options like XLL files, ISO images and MSI files after Microsoft blocked macros by default for several Office applications last year.

Functionality

With regards to EarlyRat’s functionality, the malware is rather simple. It can execute commands — and that is apparently about as exciting as things get with this one.

Like many remote access trojans (RATs), EarlyRat is designed to begin collecting system information upon starting.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“While EarlyRat may not be the most sophisticated piece of malware, Lazarus Group and its sub-components are of great interest to CTI and warrant close monitoring. The groups’ ability to engage in cyberespionage operations while simultaneously conducting financially motivated cybercrime campaigns makes them a more complicated and nuanced threat.”

“CTI takes notice whenever we learn of new TTPs or malware being used by Lazarus and its peers, as this is a threat actor which uses a wide variety of tools (many of them custom), continuously updates existing malware, and often develops new malware and methods of delivering it.”

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.