Earlyrat

Malware updated 5 months ago (2024-05-04T17:40:22.238Z)
Download STIX
Preview STIX
EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases, and it was assumed that it was downloaded via Log4j. EarlyRat, like the phishing document, is very simple: it is capable of executing commands, but nothing else of interest. The malware has been associated with the North Korea-backed Lazarus Group, specifically a branch thereof. More recently, the group was detected earlier this year using another new malware family called EarlyRat in conjunction with DTrack malware and Maui ransomware. These malicious programs were used to exploit the Log4j flaw for initial access. When hunting for more samples, researchers found phishing documents that ultimately dropped EarlyRat. Researchers have identified high-level similarities between EarlyRat and another malware known as MagicRat. Both are written using different frameworks: QT is used for MagicRat and PureBasic for EarlyRat. Furthermore, CollectionRAT appears related to the "EarlyRat" family, indicating potential shared origins or development strategies. Despite its simplicity, EarlyRat's association with significant cyber threats underscores its potential danger.
Description last updated: 2024-05-04T16:47:31.130Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Magicrat is a possible alias for Earlyrat. MagicRAT is a type of malware, first observed by Cisco Talos in 2022, that was used by the Lazarus Group to exploit vulnerabilities in publicly exposed VMWare Horizon platforms, primarily targeting energy companies worldwide. This malicious software, which can infiltrate systems through suspicious d
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Log4j
Malware
Vulnerability
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Collectionrat Malware is associated with Earlyrat. CollectionRAT is a malicious software (malware) first identified in a Cisco Talos report in 2023, with samples dating as far back as 2021. This Windows-based Remote Access Trojan (RAT) is believed to be connected to the Jupiter/EarlyRAT malware family, which has previously been linked to a Lazarus sUnspecified
2
The Quiterat Malware is associated with Earlyrat. QuiteRAT is a new type of malware associated with the North Korea-linked Lazarus Group, known for their use of custom malware. Built using the Qt framework, QuiteRAT is smaller in size compared to MagicRAT, another malware linked to the group, due to its incorporation of fewer Qt libraries and lack Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lazarus Group Threat Actor is associated with Earlyrat. The Lazarus Group, a notorious threat actor attributed to North Korea, has been implicated in a series of high-profile cyberattacks and illicit activities. The group is known for its sophisticated operations, including Operation DreamJob, which targeted Spain with a high level of confidence. Over thUnspecified
3
The Andariel Threat Actor is associated with Earlyrat. Andariel, also known as Jumpy Pisces, is a threat actor group primarily associated with cyberespionage and ransomware activities. The group has been linked to North Korea's Reconnaissance General Bureau and other APT groups such as Kimsuky and Onyx Sleet. Andariel has been noted for its aggressive tUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Log4Shell Vulnerability is associated with Earlyrat. Log4Shell is a critical software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) in the Apache Log4j library. This flaw in software design or implementation allows for remote code execution, providing attackers with potential access to victims' systems. Notably, LockBit affiliatesUnspecified
2
Source Document References
Information about the Earlyrat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
10 months ago
Securityaffairs
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago