The Andariel threat group has been observed incorporating MeshAgent into its attacks on Korean organizations, expanding its toolkit beyond previously used malware like AndarLoader and ModeLoader. MeshAgent, a remote management tool, enhances the group’s capabilities during lateral movement within compromised networks. Reports indicate that Andariel utilizes a range of malware, including Mimikatz, alongside MeshAgent, AndarLoader, and ModeLoader, resembling tactics employed by the Kimsuky threat group.
AndarLoader, identified as a downloader rather than a backdoor, retrieves and executes executables from a command-and-control (C2) server, utilizing obfuscation techniques like the KoiVM tool for evasion. MeshAgent, newly adopted by Andariel, enables functions such as power management, file operations, and remote desktop access, indicating the group’s sophistication in remote control capabilities. Additionally, ModeLoader, a JavaScript-based malware, is deployed by exploiting the Mshta process to download and execute malicious payloads from C2 servers.
The adoption of MeshAgent marks a notable shift in Andariel’s tactics, demonstrating their agility in leveraging diverse tools for remote management and control. By incorporating MeshAgent alongside existing malware like AndarLoader and ModeLoader, the group seeks to enhance its ability to move laterally within compromised networks and execute commands remotely. The emergence of these tactics underscores the ongoing evolution and adaptability of cyber threat actors, posing challenges for defenders in mitigating sophisticated attacks.
