Andariel | |
Other Names | Unknown |
Location | North Korea |
Date of initial activity | 2009 |
Suspected attribution | State-sponsored threat group |
Associated Groups | Lazarus Group, Silent Chollima |
Motivation | The group mainly attacked their victims in the early days to obtain information related to security, but their attacks eventually aimed for gaining financial profits. |
Associated tools | gh0st RAT, Andarat, Andaratm, Phandoor, Rifdoor, YamaBot, TigerRAT, MagicRat, Black RAT, Goat RAT, NukeSped, Dtrack, maui Ransomware, 1th Troy Reverse Shell, DurianBeacon, EarlyRat, MeshAgent. |
Active | Yes |
Overview
Common targets
Andariel group is one of the threat actor groups who are most actively targeting South Korea. Major target industries are those related to national security such as national defense, political organizations, shipbuilding, energy, and communications. Various other companies and institutes in Korea including universities, logistics, and ICT companies are also becoming attack targets.
Attack Vectors
The Andariel group is known to use attacks such as spear phishing attacks and watering hole attacks, and exploit software vulnerabilities to kick-start the initial access. There have also been cases in which the group exploited installed software or utilized vulnerability attacks to distribute their malware.
How they operate
MITRE ATT&CK Techniques used by Andariel:
- T1005 Data from Local System: Andariel has collected large numbers of files from compromised network systems for later extraction.
- T1189 Drive-by Compromise: Andariel has used watering hole attacks, often with zero-day exploits, to gain initial access to victims within a specific IP range.
- T1203 Exploitation for Client Execution: Andariel has exploited numerous ActiveX vulnerabilities, including zero-days.
- T1592.002 Gather Victim Host Information – Software: Andariel has inserted a malicious script within compromised websites to collect potential victim information such as browser type, system language, Flash Player version, and other data.
- T1590.005 Gather Victim Network Information – IP Addresses: Andariel has limited its watering hole attacks to specific IP address ranges.
- T1105 Ingress Tool Transfer: Andariel has downloaded additional tools and malware onto compromised hosts..
- T1027.003 Obfuscated Files or Information – Steganography: Andariel has hidden malicious executables within PNG files.
- T1588.001 Obtain Capabilities – Malware: Andariel has used a variety of publicly-available remote access Trojans (RATs) for its operations.
- T1566.001 Phishing – Spearphishing Attachment: Andariel has conducted spearphishing campaigns that included malicious Word or Excel attachments.
- T1057 Process Discovery: Andariel has used
tasklistto enumerate processes and find a specific string. - T1049 System Network Connections Discovery: Andariel has used the
netstat -naop tcpcommand to display TCP connections on a victim’s machine. - T1204.002 User Execution – Malicious File: Andariel has attempted to lure victims into enabling malicious macros within email attachments.
Significant Attacks
Andariel’s notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.
References:
- Andariel
- Andariel Group Exploiting Korean Asset Management Solutions (MeshAgent)
- Analysis of Andariel’s New Attack Activities
- Andariel’s silly mistakes and a new malware family
- Andariel deploys DTrack and Maui ransomware
- Andariel evolves to target South Korea with ransomware
- New Andariel Reconnaissance Tactics Uncovered
- Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups
- Operation GoldenAxe
- Campaign Rifle
