Earlyrat

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases, and it was assumed that it was downloaded via Log4j. EarlyRat, like the phishing document, is very simple: it is capable of executing commands, but nothing else of interest. The malware has been associated with the North Korea-backed Lazarus Group, specifically a branch thereof. More recently, the group was detected earlier this year using another new malware family called EarlyRat in conjunction with DTrack malware and Maui ransomware. These malicious programs were used to exploit the Log4j flaw for initial access. When hunting for more samples, researchers found phishing documents that ultimately dropped EarlyRat. Researchers have identified high-level similarities between EarlyRat and another malware known as MagicRat. Both are written using different frameworks: QT is used for MagicRat and PureBasic for EarlyRat. Furthermore, CollectionRAT appears related to the "EarlyRat" family, indicating potential shared origins or development strategies. Despite its simplicity, EarlyRat's association with significant cyber threats underscores its potential danger.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Magicrat
2
MagicRAT is a type of malware, first observed by Cisco Talos in 2022, that was used by the Lazarus Group to exploit vulnerabilities in publicly exposed VMWare Horizon platforms, primarily targeting energy companies worldwide. This malicious software, which can infiltrate systems through suspicious d
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Phishing
Vulnerability
Log4j
Apt
Lateral Move...
Exploit
Trojan
Implant
State Sponso...
Kaspersky
Payload
Ransomware
Reconnaissance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CollectionratUnspecified
2
CollectionRAT is a newly identified malware, discovered by cybersecurity researchers who traced its origins through reused infrastructure components. This malicious software, short for Malware, is designed to exploit and damage computers or devices, often infiltrating systems via suspicious download
QuiteratUnspecified
2
QuiteRAT is a new type of malware associated with the North Korea-linked Lazarus Group, known for their use of custom malware. Built using the Qt framework, QuiteRAT is smaller in size compared to MagicRAT, another malware linked to the group, due to its incorporation of fewer Qt libraries and lack
DtrackUnspecified
1
DTrack is a type of malware, or malicious software, known for its destructive capabilities. It can infiltrate systems through dubious downloads, emails, or websites and wreak havoc by stealing personal information, disrupting operations, or holding data hostage for ransom. Notably, DTrack was utiliz
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lazarus GroupUnspecified
3
The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
AndarielUnspecified
2
Andariel, a notorious threat actor associated with the Lazarus Group and linked to North Korea, is known for its malicious cyber activities. The group has been identified using DTrack malware and Maui ransomware, notably in mid-2022, and has developed a reputation for exploiting ActiveX objects. Res
Lazarus TeamUnspecified
1
None
StoneflyUnspecified
1
Stonefly, also known as Andariel or Silent Chollima, is a threat actor group believed to be linked with the North Korean government. Active since at least 2015, Stonefly has been involved in numerous attacks, including several attributed to the North Korean state-sponsored operation Lazarus. The gro
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Log4ShellUnspecified
2
Log4Shell is a software vulnerability, specifically a flaw in the design or implementation of the popular Java logging library, Log4j. Identified as CVE-2021-44228, this vulnerability allows an attacker to remotely execute arbitrary code, often leading to full system compromise. Advanced Persistent
Source Document References
Information about the Earlyrat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
7 months ago
Lazarus Group Exploits Log4j Flaw in New Malware Campaign
Securityaffairs
7 months ago
Operation Blacksmith: Lazarus exploits Log4j flaws to deploy DLang malware
CERT-EU
a year ago
IT threat evolution in Q2 2023 – GIXtools
CERT-EU
a year ago
IT threat evolution Q2 2023
CERT-EU
a year ago
Lazarus Group Exploits Critical Zoho ManageEngine Flaw to Deploy Stealthy QuiteRAT Malware
CERT-EU
a year ago
Hackers use public ManageEngine exploit to breach internet org
CERT-EU
a year ago
Attacks by Lazarus sub-group involve novel EarlyRAT malware
CERT-EU
a year ago
New Malware Alert: EarlyRAT Linked to North Korean Hacking Group
CERT-EU
a year ago
Log4j bug exploited to push novel EarlyRat malware
CERT-EU
a year ago
North Korean Hacker Group Andariel Strikes with New EarlyRat Malware
CERT-EU
a year ago
North Korea-linked Andariel APT used a new malware named EarlyRat last year | IT Security News
Securityaffairs
a year ago
North Korean Andariel APT used a new malware named EarlyRat
BankInfoSecurity
a year ago
New Malware by Lazarus-Backed Andariel Group Exploits Log4j
CERT-EU
a year ago
North Korean Hacker Group Andariel Strikes with New EarlyRat Malware – GIXtools
CERT-EU
a year ago
Andariel’s Mistakes Uncover New Malware in Lazarus Group Campaign
CERT-EU
a year ago
Andariel’s silly mistakes and a new malware family – GIXtools
CERT-EU
a year ago
Kaspersky crimeware report: Andariel’s mistakes and EasyRat malware