Analysis of Andariel’s New Attack Activities
1. Past attack cases 1. 过往攻击案例
…. 1.1. Cases of Innorix Agent abuse
....1.1. Innorix Agent 滥用案例
…….. 1.1.1. NukeSped variant – Volgmer
........1.1.1. NukeSped 变体 – Volgmer
…….. 1.1.2. Andardoor ........1.1.2. 安达多尔
…….. 1.1.3. 1th Troy Reverse Shell
........1.1.3. 第 1 个特洛伊反向壳
…. 1.2. Cases of attacks against Korean corporations
…….. 1.2.1. TigerRat ........1.2.1. 虎鼠
…….. 1.2.2. Black RAT ........1.2.2. 黑鼠
…….. 1.2.3. NukeSped variants
........1.2.3. NukeSped 变体
2. Cases of recent attacks
…. 2.1. Cases of Innorix Agent abuse
....2.1. Innorix Agent 滥用案例
…….. 2.1.1. Goat RAT ........2.1.1. 山羊老鼠
…. 2.2. Cases of attacks against Korean corporations
…….. 2.2.1. AndarLoader ........2.2.1. AndarLoader
…….. 2.2.2. DurianBeacon ........2.2.2. 榴莲信标
3. Connections to recent attack cases
4. Connections to past attack cases of the Andariel group
5. Conclusion 5. 结论
The Andariel threat group which usually targets Korean corporations and organizations is known to be affiliated with the Lazarus threat group or one of its subsidiaries. Attacks against Korean targets have been identified since 2008. Major target industries are those related to national security such as national defense, political organizations, shipbuilding, energy, and communications. Various other companies and institutes in Korea including universities, logistics, and ICT companies are also becoming attack targets.  (this report only supports the Korean version)
众所周知，通常针对韩国公司和组织的 Andariel 威胁组织隶属于 Lazarus 威胁组织或其子公司之一。自 2008 年以来，已经确定了针对韩国目标的袭击。主要目标行业是国防、政治组织、造船、能源、通信等与国家安全相关的行业。韩国的其他各种公司和机构，包括大学、物流和ICT公司也成为攻击目标。 （本报告仅支持韩文版）
During the initial compromise stage, the Andariel threat group usually employs spear phishing, watering hole, and supply chain attacks. Additionally, there are cases where the group abuses central management solutions during the malware installation process.  A notable fact about the group is its creation and use of various malware types in its attacks. There are many backdoor types, including Andarat, Andaratm, Phandoor, and Rifdoor used in the past attacks, as well as TigerRAT  and MagicRAT  which have been detected for the past few years.
在初始入侵阶段，Andariel 威胁组织通常采用鱼叉式网络钓鱼、水坑和供应链攻击。此外，在某些情况下，该组在恶意软件安装过程中滥用中央管理解决方案。 关于该组织的一个值得注意的事实是它在攻击中创建和使用各种恶意软件类型。有许多后门类型，包括过去攻击中使用的 Andarat、Andaratm、Phandoor 和 Rifdoor，以及过去几年检测到的 TigerRAT  和 MagicRAT 。
AhnLab Security Emergency response Center (ASEC) is continuously monitoring the attacks of the Andariel threat group. This blog post will cover details surrounding the recently identified attacks deemed to be perpetrated by the Andariel group. Note that because the malware strains and C&C servers identified in past attack cases were not used in the aforementioned attacks, there is no direct connection. Thus, in order to identify the connection between the recent attacks and the Andariel threat group, this post will first analyze the cases of attacks by the Andariel group in the first half of 2023. Then the analysis will be used to identify the possible link between the attacks and the threat group. Details confirmed in the past attack cases will be included if necessary.
AhnLab 安全应急响应中心 （ASEC） 正在持续监控 Andariel 威胁组织的攻击。这篇博文将详细介绍最近发现的被认为是由 Andariel 集团实施的攻击。请注意，由于过去攻击案例中发现的恶意软件和C&C服务器未在上述攻击中使用，因此没有直接联系。因此，为了确定最近的攻击与 Andariel 威胁组织之间的联系，本文将首先分析 Andariel 组织在 2023 年上半年的攻击案例。然后，分析将用于确定攻击与威胁组之间的可能联系。如有必要，将包括过去攻击案例中确认的详细信息。
One characteristic of the attacks identified in 2023 is that there are numerous malware strains developed in the Go language. In an attack case where Innorix Agent was used, a Reverse Shell developed in Go was used. Black RAT was used in attacks targeting Korean companies afterward. Such trends continued into the recent cases, where other malware strains developed in Go such as Goat RAT and DurianBeacon are being used in attacks. Besides the Go version, DurianBeacon has a version developed in the Rust language as well.
2023 年发现的攻击的一个特点是，有许多用 Go 语言开发的恶意软件。在使用 Innorix Agent 的攻击案例中，使用了用 Go 开发的 Reverse Shell。之后，Black RAT 被用于针对韩国公司的攻击。这种趋势一直持续到最近的案例中，Goat RAT 和 DurianBeacon 等 Go 中开发的其他恶意软件正在被用于攻击。除了 Go 版本，DurianBeacon 还有一个用 Rust 语言开发的版本。
Because the initial distribution case could not be identified directly, this post will conduct an analysis based on the malware strains used in the attacks. Note that various malware types are being used in the attacks. When a name given by the malware creator can be confirmed, the said name will be used. If not, the names of similar malware types or AhnLab’s detection name will be used.
由于无法直接识别初始分发案例，因此本文将根据攻击中使用的恶意软件进行分析。请注意，攻击中使用了各种恶意软件类型。当可以确认恶意软件创建者给出的名称时，将使用该名称。如果没有，将使用类似恶意软件类型的名称或 AhnLab 的检测名称。
1. Past attack cases 1. 过往攻击案例
1.1. Cases of Innorix Agent abuse
1.1. Innorix Agent 滥用案例
In February 2023, ASEC shared the case where the Andariel threat group distributed malware to users with a vulnerable version of Innorix Agent in the blog post “Distribution of Malware Exploiting Vulnerable Innorix: Andariel.”  The Innorix Agent program abused in distribution is a file transfer solution client program. According to the post regarding the vulnerability by the Korea Internet & Security Agency (KISA), the affected versions were found to be INNORIX Agent 220.127.116.110 or earlier, which were advised to be applied with the security update.  (this content only supports the Korean version)
2023 年 2 月，ASEC 在博客文章“利用易受攻击的 Innorix 的恶意软件分发：Andariel”中分享了 Andariel 威胁组织向具有易受攻击版本的 Innorix Agent 的用户分发恶意软件的案例。 在分发中被滥用的 Innorix Agent 程序是一个文件传输解决方案客户端程序。根据韩国互联网与安全局（KISA）关于该漏洞的帖子，受影响的版本被发现是INNORIX Agent 18.104.22.1680或更早版本，建议将其应用于安全更新。 （此内容仅支持韩文版）
An investigation of the malware strains used in the attacks based on past attack cases revealed that multiple Korean universities were infected with malware strains. Most malware types used in the attacks were backdoors, and no previously identified type was present. However, because there is a connection with other malware strains used in the past or those used in subsequent attacks, a brief summary of their characteristics will be given.
1.1.1. NukeSped variant – Volgmer
1.1.1. NukeSped 变体 – Volgmer
As covered in the ASEC Blog before, this malware strain uses the following 0x10 byte key in the process of communicating with the C&C server to encrypt packets. The key value in question is the same as the one employed in Volgmer used by the Hidden Cobra (Lazarus) threat group, as stated in a report by the United States Cybersecurity & Infrastructure Security Agency (CISA).  (page currently unavailable)
- Key: 74 61 51 04 77 32 54 45 89 95 12 52 12 02 32 73
钥匙：74 61 51 04 77 32 54 45 89 95 12 52 12 02 32 73
Volgmer was also used in comparatively recent attacks. It runs by reading the configuration data saved in the registry key “HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security” and uses the HTTP protocol to communicate with the C&C server. Such characteristics are highly similar to the type mentioned in the CISA report in the past, which means that the malware continues to be used in attacks with no significant variants being released. While the same key value was used in both the malware mentioned in this post and Volgmer, there is a difference: the malware used in the current attack cases uses the key value to encrypt the packets used to communicate with the C&C server. Meanwhile, Volgmer uses the value to decrypt the encrypted configuration data saved in the registry.
Volgmer 也被用于相对较新的攻击。它通过读取保存在注册表项“HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security”中的配置数据来运行，并使用HTTP协议与C&C服务器进行通信。这些特征与过去CISA报告中提到的类型高度相似，这意味着该恶意软件继续用于攻击，没有发布任何重大变体。虽然本文中提到的恶意软件和Volgmer都使用了相同的密钥值，但存在差异：当前攻击案例中使用的恶意软件使用密钥值来加密用于与C&C服务器通信的数据包。同时，Volgmer 使用该值来解密保存在注册表中的加密配置数据。
Accordingly, it is not entirely accurate to categorize the above malware strain as a type of Volgmer, so it was categorized as a variant of NukeSped instead. The malware is a comparatively simple backdoor that only provides basic features. Notably, the Batch script used in the self-deletion process is similar to the one used in NukeSped types in the past.
1.1.2. Andardoor 1.1.2. 安达多尔
Developed in .NET, this malware is a backdoor that uses the name TestProgram. Based on AhnLab’s detection name, it is classified as Andardoor. It is notable for being obfuscated using the Dotfuscator tool. It offers various features for controlling the infected system, such as file and process tasks, executing commands, and capturing screenshots. SSL encryption is used for communication with the C&C server. For the server name, it designated the “clientName” string.
1.1.3. 1th Troy Reverse Shell
1.1.3. 第 1 个特洛伊反向壳
1th Troy is a Reverse Shell malware developed in Go. The following string included in the binary shows that the malware has the simple name of “Reverse_Base64_Pipe” and the malware’s creator classified the malware as “1th Troy”.
1th Troy 是用 Go 开发的 Reverse Shell 恶意软件。二进制文件中包含的以下字符串显示该恶意软件的简单名称为“Reverse_Base64_Pipe”，并且恶意软件的创建者将恶意软件归类为“1th Troy”。
Being a Reverse Shell that only provides basic commands, the commands supported include “cmd”, “exit”, and “self delete”. They support the command execution, process termination, and self-deletion features respectively.
作为仅提供基本命令的 Reverse Shell，支持的命令包括 “cmd”、“exit” 和 “self delete”。它们分别支持命令执行、进程终止和自删除功能。
1.2. Cases of attacks against Korean corporations
The Andariel group also distributed malware in March 2023 in its attacks against the Korean defense industry and an electronics device manufacturer. The method of initial compromise has not yet been identified, but logs of the mshta.exe process installing TigerRat and the mshta.exe process being terminated were confirmed through the AhnLab Smart Defense (ASD) infrastructure. This means that the malware strains were installed through a script-type malware with the spear phishing attack method.
2023 年 3 月，Andariel 集团还在针对韩国国防工业和一家电子设备制造商的攻击中分发了恶意软件。初始入侵的方法尚未确定，但安装 TigerRat 的 mshta.exe 进程和终止的 mshta.exe 进程的日志已通过 AhnLab 智能防御 （ASD） 基础设施确认。这意味着恶意软件是通过具有鱼叉式网络钓鱼攻击方法的脚本型恶意软件安装的。
Malware strains used in attacks were generally backdoor types. TigerRat, which has been used by the Andariel group since the past, was also included.
Tiger Rat is a RAT-type malware with its name given by KISA  and has been consistently employed by the Andariel threat group since 2020. It is known to be generally distributed through malicious document files containing macros that are attached to spear phishing emails, or through watering hole attacks.  There are also cases where the Andariel group targeted Korean corporations that use vulnerable versions of VMware Horizon and launched Log4Shell vulnerability attacks to install TigerRat. 
Besides offering basic features such as file tasks and executing commands, TigerRat is a backdoor that supports other various features such as collecting information, keylogging, capturing screenshots, and port forwarding. One of its characteristics is that there is an authentication process upon the first communication session with the C&C server. In past versions, the string shown below disguised as SSL communications was used in the authentication process. Depending on the malware version, either the string “HTTP 1.1 /member.php SSL3.4” or “HTTP 1.1 /index.php?member=sbi2009 SSL3.3.7” must be sent to the C&C server, and the string “HTTP 1.1 200 OK SSL2.1” should be sent in return for authentication to be successful.
However, in the recently identified TigerRat type, the following random strings 0x20 in size are used. These strings are thought to be the MD5 hash for “fool” (dd7b696b96434d2bf07b34f9c125d51d) and “iwan” (01ccce480c60fcdb67b54f4509ffdb56). It seems that the threat actor used random strings in the authentication process to evade network detection.
但是，在最近确定的 TigerRat 类型中，使用了以下大小0x20的随机字符串。这些字符串被认为是“fool”（dd7b696b96434d2bf07b34f9c125d51d）和“iwan”（01ccce480c60fcdb67b54f4509ffdb56）的MD5哈希。威胁行为者似乎在身份验证过程中使用随机字符串来逃避网络检测。
- C&C request string: dd7b696b96434d2bf07b34f9c125d51d
- C&C response string: 01ccce480c60fcdb67b54f4509ffdb56
1.2.2. Black RAT 1.2.2. 黑鼠
Black Rat is a backdoor-type malware that is likely created by the threat actor. Like other malware strains, it was developed in Go. While the 1th Troy Reverse Shell identified in the previous case only supports a basic command execution feature, Black Rat provides many additional features such as downloading files and capturing screenshots.
Black Rat 是一种后门类型的恶意软件，可能是由威胁参与者创建的。与其他恶意软件一样，它是用 Go 开发的。虽然在前一个案例中确定的第一个特洛伊反向外壳仅支持基本的命令执行功能，但 Black Rat 提供了许多附加功能，例如下载文件和捕获屏幕截图。
Examining the following string included in the binary shows that the malware creator classified the malware as a RAT type and named it Black.
1.2.3. NukeSped variants
A typical NukeSped-type backdoor was also used in this attack. Supported features include network scanning, process and file lookup, file upload/download, and command execution. The names of the APIs to be used are encrypted as shown below. These are decrypted and the API names are taken from somewhere else. A key with a size of 0x26 is used for decryption.
- Key value used for decryption: i<6fu>-0|HSLRCqd.xHqMB]4H#axZ%5!5!?SQ&
This NukeSped variant also uses a Batch script for self-deletion, but it is slightly different from the one used in the previous attacks.
There are two types of identified NukeSped variants: Reverse Shell and Bind Shell types. Both listen to port number 10443. This NukeSped variant has an authentication process before communicating with the C&C server like TigerRat. Yet whereas TigerRat disguised the process as SSL communications, NukeSped disguised it as HTTP communications. Thus, after sending the following POST request, an accurately matching HTTP response must be received for the malware to commence communications with the C&C server.
2. Cases of Recent Attacks
ASEC is monitoring attacks of the Andariel group and has recently identified cases of Innorix Agent being abused to install malware. Unlike past cases where Innorix Agent was downloading malware strains, the recent case directly creates the malware file, so it is not certain whether the attacks are vulnerability attacks or if Innorix Agent was simply abused.
Malware strains identified in these attacks are not those that had been used by the Andariel group in the past, but aside from the fact that Innorix was used in the attacks, the current attack is similar to past attack cases in that the attack targets are Korean universities. While the attack was being perpetrated, attack cases against Korean ICT companies, electronic device manufacturers, the shipbuilding industry, and the manufacturing industry were identified as well. Analysis showed that there was a connection with the malware strains used in attack cases where Innorix was abused.
This part will analyze each attack case and malware strains used in the attacks. Afterward, a summary will be given of the conclusion that the same threat actor is behind these attacks and the basis behind the claim, as well as the relationship between the current attacks and past attack cases of the Andariel threat group.
2.1. Cases of Innorix Agent abuse
2.1.1. Goat RAT
In recent attacks against Korean universities, there were cases where Innorix Agent installed malware strains. Innorix Agent installed the malware strains under the name “iexplorer.exe”. This is one of the names that has been often used by the Andariel group.
Although the recent version is obfuscated unlike the Go-based backdoor-type malware used in past attacks, basic file tasks, self-deletion features, etc. can be identified. There are also logs where the following commands were executed.
尽管与过去攻击中使用的基于 Go 的后门类型恶意软件不同，最新版本进行了混淆，但可以识别基本文件任务、自删除功能等。还有一些日志，其中执行了以下命令。
|> cmd /c tasklist > cmd /c 任务列表
> cmd /c ipconfig /all
2.2. Cases of attacks against Korean corporations
Aside from the attack cases where Innorix Agent was abused, ASEC identified another type of attack in a similar period of time. While the initial distribution route has not yet been ascertained, the malware strains used in the attacks were obfuscated with a tool called Dotfuscator like the .NET malware strains classified as Andardoor. Another common trait is that both types use SSL communications with the C&C server. Unlike Andardoor which used “clientName” when connecting to the C&C server, this attack case used the string “sslClient”.
Whereas Andardoor had most of its features already implemented, this malware strain only has a downloader feature to download and execute executable data such as .NET assemblies from external sources. Out of the commands sent from the C&C server, the commands shown below can be used to execute or terminate the received code. Behaviors performed by the threat actor using AndarLoader include installing Mimikatz in the infected system, which has been confirmed through a recorded log.
At the time of analysis, the C&C server was unavailable for access and the part in charge of the actual features could not be investigated, so no direct similarity with Andardoor could be confirmed. However, the use of the same obfuscation tool or the similarities in the communication process with the C&C server led AhnLab to categorize this malware as the AndarLoader type.
|alibaba||Execute the downloaded .NET assemblies|
|Execute the downloaded .NET method|
|vanish||Self-delete and terminate|
Among the commands given by the treat actor that AndarLoader executes, there is a command to terminate the mshta.exe process. The fact that AndarLoader was installed via PowerShell and the mshta.exe process was involved leaves the possibility that this is a spear phishing attack like the cases of attacks covered above.
Additionally, logs of the mshta.exe process connecting to the C&C server can be found in systems infected with AndarLoader.
The domain kro.kr was used as the C&C and download URLs. This is a domain generally used by the Kimsuky threat group. Also, the fact that Ngrok was installed for RDP connection during the attack process shows how the case is similar to the attack pattern of the Kimsuky group.
域 kro.kr 被用作C&C和下载URL。这是 Kimsuky 威胁组织通常使用的域。此外，在攻击过程中为 RDP 连接安装了 Ngrok 这一事实表明，该案例与 Kimsuky 组的攻击模式相似。
While investigating the AndarLoader malware, AhnLab identified that a malware strain named DurianBeacon was also used in the attack process. There are two versions of DurianBeacon, one developed in Go and the other developed in Rust. Both are backdoors that can perform malicious behaviors by receiving the threat actor’s commands from the C&C server.
A. Go Version
Examining the following strings included in the binary indicates that the malware creator named this malware strain DurianBeacon.
The Go version of DurianBeacon uses the SSL protocol to communicate with the C&C server. After initial access, it sends the infected system’s IP information, user name, desktop name, architecture, and file names before awaiting commands. When a command is sent, it returns a result. Supported features besides collecting basic information about the infected system include file download/upload, lookup, and command execution features.
Because the SSL protocol is used, communications packets are encrypted. The following packet structure is used internally.
|0x04||0x04||Size of the command argument|
The features corresponding to each command code are as follows.
|Command 命令||Feature 特征|
|0x02||Execute commands (return results)
|0x03||Look up directories 查找目录|
|0x04||Drive information 驱动器信息|
|0x05, 0x06, 0x07, 0x08 0x05、0x06、0x07 0x08||Upload files 上传文件|
|0x09, 0x0A, 0x0B 0x09、0x0A 0x0B||Download files 下载文件|
|0x0C||Create directories 创建目录|
|0x0D||Delete files 删除文件|
|0x0E||Run commands 运行命令|
表 3.DurianBeacon 命令列表
After executing commands, the malware sends the success status or the command execution results to the threat actor’s C&C server. The response is also similar to the command packet.
|Offset 抵消||Size 大小||Description 描述|
|0x00||0x04||Response number 响应编号|
|0x04||0x04||Size of the command execution results|
|0x08||Variable||Command execution results|
|0x00||Return command results|
|0x01, 0x02, 0x03||Look up directories (start, terminate, etc.)|
|0x05, 0x06, 0x07||Upload files (error, success, etc.)|
|0x08, 0x09, 0x0A||Download files (error, success, etc.)|
|0x0B, 0x0C||Create directories (failure or success)|
|0x0D, 0x0E||Delete files (failure or success)|
|0x0F, 0x10||Run commands (failure or success)|
B. Rust Version
Investigation of related files revealed that the Rust version of DurianBeacon was also used in attacks.
- PDB information: C:\Users\Anna\Documents\DurianBeacon\target\x86_64-pc-windows-msvc\release\deps\DurianBeacon.pdb
DurianBeacon supports packet encryption using XOR aside from SSL to communicate with the C&C server, using the key 0x57.
The packet structure and commands are also the same as the Go version. The Rust version of DurianBeacon sends the keyword “durian2023” alongside the infected system’s IP information, user name, desktop name, architecture, and file names before awaiting command. When a command is sent, it returns the results.
3. Connections to recent attack cases
The above section covered the recently identified two cases where universities in Korea were attacked through abusing Innorix Agent and where malware strains were installed in Korean corporations through presumably spear phishing attacks. This part will explain why AhnLab considers the same threat actor to be behind both types of attacks.
上一节介绍了最近发现的两起案例，其中韩国的大学通过滥用Innorix Agent受到攻击，以及通过推测的鱼叉式网络钓鱼攻击在韩国公司中安装了恶意软件。这部分将解释为什么 AhnLab 认为同一威胁行为者是两种类型攻击的幕后黑手。
First, there are cases in AhnLab’s ASD logs where Durian, Goat RAT, and AndarLoader were collected together in a similar period. The system in question is thought to be the threat actor’s test PC because the path name of AndarLoader was as follows.
首先，在 AhnLab 的 ASD 日志中，有一些案例表明，榴莲、山羊 RAT 和 AndarLoader 是在相似的时期一起收集的。有问题的系统被认为是威胁参与者的测试PC，因为AndarLoader的路径名如下。
- AndarLoader collection path: d:\01__developing\99__c#_obfuscated\runtime broker.exe
AndarLoader 集合路径：d：\01__developing\99__c#_obfuscated\runtime broker.exe
There are also cases where the C&C servers of backdoor-type malware strains were the same. When the threat actor used Innorix Agent to install malware, Goat RAT was mainly employed, but there is a significant portion where other malware strains were installed. While such malware samples could not be collected, there are recorded communications logs with the C&C server. Also, the URL in question was the same as the DurianBeacon C&C server URL used in other attacks.
在某些情况下，后门型恶意软件的C&C服务器是相同的。当威胁行为者使用 Innorix Agent 安装恶意软件时，主要使用 Goat RAT，但有很大一部分安装了其他恶意软件。虽然无法收集此类恶意软件样本，但记录了与C&C服务器的通信日志。此外，有问题的URL与其他攻击中使用的DurianBeacon C&C服务器URL相同。
Finally, there was a log where DurianBeacon installed AndarLoader. This means that these attacks happened around a similar time period, and the attacks might be related to each other as the installation processes and the C&C server URLs used tend to be similar.
4. Connections to past attack cases of the Andariel group
The recently identified two attack cases are likely done by the same threat actor. This section will cover the relationship between these attacks and the Andariel threat group.
A. Attack Targets
- Attacked universities, the national defense industry, electronic device manufacturers, ICT companies, etc. in Korea.
B. Attack Methods
- Abused Innorix Agent like in past cases
- Probably employed spear phishing method like in past cases
- Similarities between the path and file names used when installing the malware strains
C. Malware Types Used
- Malware strains developed in Go were used
- Similarities between Andardoor and AndarLoader
- Malware types similar to the Infostealer used in previous attacks were identified
First, there are the facts that the industries and sectors that became attack targets were the same as the targets identified in past attack cases and the same attack methods used in previous attacks were employed in recent cases. AhnLab identified cases where Innorix Agent was used. While not confirmed, many logs showed circumstances of spear phishing attacks.
The file name “iexplorer.exe” used to install malware has been identified from Andariel’s past attack cases to the present. Besides “iexplorer.exe”, names including the “svc” keyword such as “authsvc.exe” and “creditsvc.exe” has been continuously used. Also, aside from “mainsvc.exe” and “certsvc.exe”, there are cases where similar names such as “netsvc.exe” and “srvcredit.exe” were used.
As covered in the corresponding section, AndarLoader was obfuscated with the trial version of Dotfuscator, the tool used in Andardoor in previous attacks. It also uses SSL encryption to communicate with the C&C server, again showing similarities with past attack cases. Two other malware strains developed in Go were used as well. These align with the trend of malware strains developed in Go such as 1th Troy Reverse Shell and Black RAT continuously being used since the early part of this year.
如相应部分所述，AndarLoader 与 Dotfuscator 的试用版混淆了，Dotfuscator 是 Andardoor 在以前的攻击中使用的工具。它还使用SSL加密与C&C服务器进行通信，再次显示出与过去攻击案例的相似之处。还使用了在 Go 中开发的另外两种恶意软件。这些与 Go 中开发的恶意软件菌株的趋势一致，例如自今年年初以来不断使用的 1th Troy Reverse Shell 和 Black RAT。
Finally, there is also the system thought to be the threat actor’s test PC and Infostealer strains presumably created by the threat actor during the attack process. In fact, the Andariel group in the past installed malware strains responsible for stealing account credentials during the attack process, exfiltrating account credentials saved in Internet Explorer, Chrome, and Firefox web browsers. Such malware strains are command line tools that output the extracted account credentials via command lines. It seems that the threat actor used a backdoor to send the results to the C&C server.
最后，还有一个系统被认为是威胁行为者的测试 PC 和信息窃取者，据推测是由威胁行为者在攻击过程中创建的。事实上，Andariel 集团过去安装的恶意软件菌株负责在攻击过程中窃取帐户凭据，泄露保存在 Internet Explorer、Chrome 和 Firefox Web 浏览器中的帐户凭据。此类恶意软件是命令行工具，可通过命令行输出提取的帐户凭据。威胁行为者似乎使用后门将结果发送到C&C服务器。
The Infostealer used in the recent attacks has a similar format. The only difference is that it only targets web browsers and steals account credentials and histories. Additionally, unlike the past cases where results were outputted by command lines, the recent version saves the stolen information in the same path under the file name “error.log”.
最近攻击中使用的 Infostealer 具有类似的格式。唯一的区别是它仅针对 Web 浏览器并窃取帐户凭据和历史记录。此外，与过去通过命令行输出结果的情况不同，最新版本将被盗信息保存在文件名“error.log”下的相同路径中。
The Andariel group is one of the highly active threat groups targeting Korea along with Kimsuky and Lazarus. The group launched attacks to gain information related to national security in the early days but now carries out attacks for financial gains.  The group is known to employ spear phishing attacks, watering hole attacks, and vulnerability exploits for their initial infiltration process. There have also been cases where it used other vulnerabilities in the attack process to distribute malware strains.
Users must be particularly cautious about attachments to emails with unknown sources or executable files downloaded from websites. Users should also apply the latest patch for OS and programs such as internet browsers and update V3 to the latest version to prevent malware infection in advance.
– Backdoor/Win.Agent.R562183 (2023.03.14.00)
– 后门/Win.Agent.R562183 （2023.03.14.00）
– Backdoor/Win.Andardoor.C5381120 (2023.02.16.01)
– 后门/Win.Andardoor.C5381120 （2023.02.16.01）
– Backdoor/Win.Andardoor.R558252 (2023.02.16.01)
– 后门/Win.Andardoor.R558252 （2023.02.16.01）
– Backdoor/Win.AndarGodoor.C5405584 (2023.04.05.03)
– 后门/Win.AndarGodoor.C5405584 （2023.04.05.03）
– Backdoor/Win.DurianBeacon.C5472659 (2023.08.18.02)
– 后门/Win.DurianBeacon.C5472659 （2023.08.18.02）
– Backdoor/Win.DurianBeacon.C5472662 (2023.08.18.02)
– 后门/Win.DurianBeacon.C5472662 （2023.08.18.02）
– Backdoor/Win.DurianBeacon.C5472665 (2023.08.18.03)
– 后门/Win.DurianBeacon.C5472665 （2023.08.18.03）
– Backdoor/Win.Goat.C5472627 (2023.08.18.02)
– 后门/Win.Goat.C5472627 （2023.08.18.02）
– Backdoor/Win.Goat.C5472628 (2023.08.18.02)
– 后门/Win.Goat.C5472628 （2023.08.18.02）
– Backdoor/Win.Goat.C5472629 (2023.08.18.02)
– 后门/Win.Goat.C5472629 （2023.08.18.02）
– Backdoor/Win.NukeSped.C5404471 (2023.04.03.02)
– 后门/Win.NukeSped.C5404471 （2023.04.03.02）
– Backdoor/Win.NukeSped.C5409470 (2023.04.12.00)
– 后门/Win.NukeSped.C5409470 （2023.04.12.00）
– Backdoor/Win.NukeSped.C5409543 (2023.04.12.00)
– 后门/Win.NukeSped.C5409543 （2023.04.12.00）
– Infostealer/Win.Agent.C5472631 (2023.08.18.02)
– 信息窃取程序/Win.Agent.C5472631 （2023.08.18.02）
– Trojan/Win.Agent.C5393280 (2023.03.11.00)
– 特洛伊木马/Win.Agent.C5393280 （2023.03.11.00）
– Trojan/Win.Agent.C5451550 (2023.07.11.00)
– 特洛伊木马/Win.Agent.C5451550 （2023.07.11.00）
– Trojan/Win.Andarinodoor.C5382101 (2023.02.16.01)
– 特洛伊木马/Win.Andarinodoor.C5382101 （2023.02.16.01）
– Trojan/Win.Andarinodoor.C5382103 (2023.02.16.01)
– 特洛伊木马/Win.Andarinodoor.C5382103 （2023.02.16.01）
– Trojan/Win32.RL_Mimikatz.R366782 (2021.02.18.01)
– 特洛伊木马/Win32.RL_Mimikatz.R366782 （2021.02.18.01）
Behavior Detection 行为检测
– 0a09b7f2317b3d5f057180be6b6d0755: NukeSped variant – Volgmer (%SystemRoot%\mstc.exe.irx)
– 0a09b7f2317b3d5f057180be6b6d0755： NukeSped 变体 – Volgmer （%SystemRoot%\mstc.exe.irx）
– 1ffccc23fef2964e9b1747098c19d956: NukeSped Variant – Volgmer (%SystemRoot%\msnox.exe.irx)
– 1ffccc23fef2964e9b1747098c19d956： NukeSped 变体 – Volgmer （%SystemRoot%\msnox.exe.irx）
– 9112efb49cae021abebd3e9a564e6ca4: NukeSped variant – Volgmer (%SystemRoot%\system32\mscert.exe)
– 9112efb49cae021abebd3e9a564e6ca4： NukeSped 变体 – Volgmer （%SystemRoot%\system32\mscert.exe）
– bcac28919fa33704a01d7a9e5e3ddf3f: NukeSped variant – Volgmer (%SystemRoot%\msnoxe.exe.irx)
– bcac28919fa33704a01d7a9e5e3ddf3f： NukeSped 变体 – Volgmer （%SystemRoot%\msnoxe.exe.irx）
– ac0ada011f1544aa3a1cf27a26f2e288: Andardoor (%SystemDrive%\users\%ASD%\msdes.exe.irx)
– ac0ada011f1544aa3a1cf27a26f2e288： Andardoor （%SystemDrive%\users\%ASD%\msdes.exe.irx）
– c892c60817e6399f939987bd2bf5dee0: Andardoor (%SystemDrive%\users\%ASD%\msdes.exe.irx)
– c892c60817e6399f939987bd2bf5dee0： Andardoor （%SystemDrive%\users\%ASD%\msdes.exe.irx）
– 0211a3160cc5871cbcd4e5514449162b: Andardoor (%SystemDrive%\users\%ASD%\msdes.exe.irx)
– 0211a3160cc5871cbcd4e5514449162b：Andardoor （%SystemDrive%\users\%ASD%\msdes.exe.irx）
– e5410abaaac69c88db84ab3d0e9485ac: 1st Troy Reverse Shell (%SystemRoot%\msnox.exe.irx)
– e5410abaaac69c88db84ab3d0e9485ac：第一个特洛伊反向外壳 （%SystemRoot%\msnox.exe.irx）
– 88a7c84ac7f7ed310b5ee791ec8bd6c5: 1st Troy Reverse Shell (%SystemRoot%\msnox.exe.irx)
– 88a7c84ac7f7ed310b5ee791ec8bd6c5：第一个特洛伊反向外壳 （%SystemRoot%\msnox.exe.irx）
– eb35b75369805e7a6371577b1d2c4531: TigerRat (%SystemRoot%\system32\hl_cl.exe)
– eb35b75369805e7a6371577b1d2c4531：TigerRat （%SystemRoot%\system32\hl_cl.exe）
– 5a3f3f75048b9cec177838fb8b40b945: TigerRat (%SystemDrive%\users\%ASD%\larabar.exe, %SystemDrive%\users\%ASD%\mainsvc.exe, %SystemDrive%\users\%ASD%\certsvc.exe)
– 9d7bd0caed10cc002670faff7ca130f5: Black RAT (%SystemRoot%\syswow64\mbcbuilder.exe, %SystemRoot%\syswow64\msinfo.exe)
– 8434cdd34425916be234b19f933ad7ea: Black RAT (%SystemRoot%\system32\shamon.exe)
– 8434cdd34425916be234b19f933ad7ea：黑鼠 （%SystemRoot%\system32\shamon.exe）
– bbaee4fe73ccff1097d635422fdc0483: NukeSped Variant (%SystemDrive%\users\%ASD%\update.exe)
– bbaee4fe73ccff1097d635422fdc0483：NukeSped 变体 （%SystemDrive%\users\%ASD%\update.exe）
– 79e474e056b4798e0a3e7c60dd67fd28: NukeSped variant (%SystemRoot%\hl_cl.exe)
– 79e474e056b4798e0a3e7c60dd67fd28：NukeSped 变体 （%SystemRoot%\hl_cl.exe）
– 3ec3c9e9a1ad0e6a6bd75d00d616936bc: Goat RAT (%SystemDrive%\users\%ASD%\downloads\iexplore.exe)
– 95c276215dcc1bd7606c0cb2be06bf70: Goat RAT (%SystemDrive%\users\%ASD%\downloads\iexplore.exe)
– 95c276215dcc1bd7606c0cb2be06bf70：山羊鼠 （%SystemDrive%\users\%ASD%\downloads\iexplore.exe）
– 426bb55531e8e3055c942a1a035e46b9: Goat RAT (%SystemDrive%\users\%ASD%\downloads\iexplore.exe)
– 426bb55531e8e3055c942a1a035e46b9：山羊鼠 （%SystemDrive%\users\%ASD%\downloads\iexplore.exe）
– cfae52529468034dbbb40c9a985fa504: Goat RAT (%SystemDrive%\users\%ASD%\downloads\iexplore.exe)
– cfae52529468034dbbb40c9a985fa504：山羊鼠 （%SystemDrive%\users\%ASD%\downloads\iexplore.exe）
– deae4be61c90ad6d499f5bdac5dad242: Goat RAT (%SystemDrive%\users\%ASD%\downloads\iexplore.exe)
– 6ab4eb4c23c9e419fbba85884ea141f4: AndarLoader ((SystemDrive%\users\%ASD%\pictures\runtime broker.exe, %SystemRoot%\system32\authsvc.exe, %SystemRoot%\system32\creditsvc.exe, %ProgramFiles%\smartplant\svchost.exe)
– 6ab4eb4c23c9e419fbba85884ea141f4：AndarLoader（（SystemDrive%\users\%ASD%\pictures\runtime broker.exe， %SystemRoot%\system32\authsvc.exe， %SystemRoot%\system32\creditsvc.exe， %ProgramFiles%\smartplant\svchost.exe）
– bda0686d02a8b7685adf937cbcd35f46: DurianBeacon Go (a.exe)
– bda0686d02a8b7685adf937cbcd35f46： 榴莲信标去 （a.exe）
– 6de6c27ca8f4e00f0b3e8ff5185a59d1: DurianBeacon Go (%SystemDrive%\users\%ASD%\pictures\xxx.exe)
– 6de6c27ca8f4e00f0b3e8ff5185a59d1： 榴莲信标去 （%SystemDrive%\users\%ASD%\pictures\xxx.exe）
– c61a8c4f6f6870c7ca0013e084b893d2: DurianBeacon Rust (%SystemDrive%\users\%ASD%\documents\d.exe)
– 5291aed100cc48415636c4875592f70c: Mimikatz (%SystemDrive%\users\%ASD%\mimi.exe)
– 5291aed100cc48415636c4875592f70c：Mimikatz （%SystemDrive%\users\%ASD%\mimi.exe）
– f4795f7aec4389c8323f7f40b50ae46f: malware collecting account credentials (%SystemDrive%\users\%ASD%\documents\mshelp.exe)
– f4795f7aec4389c8323f7f40b50ae46f：恶意软件收集帐户凭据 （%SystemDrive%\users\%ASD%\documents\mshelp.exe）
– hxxp://27.102.113[.]88/client.exe: NukeSped variant – Volgmer
– hxxp://27.102.107[.]230/mstcs.exe: NukeSped variant – Volgmer
– hxxp://27.102.107[.]233/update.exe: NukeSped variant – Volgmer
– hxxp://27.102.107[.]233/client.exe: NukeSped variant – Volgmer
– hxxp://27.102.107[.]234/update.exe: NukeSped variant – Volgmer
– hxxp://27.102.107[.]235/mstcs.exe: NukeSped variant – Volgmer
– hxxp://139.177.190[.]243/update.exe: Andardoor
– hxxp://4.246.144[.]112/update.exe: Andardoor
– hxxp://27.102.113[.]88/update.exe: 1st Troy Reverse Shell
– hxxp://27.102.107[.]224/update.exe: 1st Troy Reverse Shell
– hxxp://27.102.107[.]230/update.exe: 1st Troy Reverse Shell
– hxxp://www.ipservice.kro[.]kr/dataSeq.exe: AndarLoader
– hxxp://www.ipservice.kro[.]kr/creditsvc.exe: AndarLoader
C&C URLs C&C 网址
– 27.102.113[.]88:5443: NukeSped variant – Volgmer
– 27.102.113[.]88：5443：NukeSped 变体 – Volgmer
– 27.102.107[.]234:8443: NukeSped variant – Volgmer
– 27.102.107[.]234：8443：NukeSped 变体 – Volgmer
– 27.102.107[.]224:5443: NukeSped variant – Volgmer
– 27.102.107[.]224：5443：NukeSped 变体 – Volgmer
– 109.248.150[.]179:443: NukeSped variant – Volgmer
– 109.248.150[.]179：443：NukeSped 变体 – Volgmer
– 139.177.190[.]243:443: Andardoor
– 4.246.144[.]112:443: Andardoor
– 27.102.113[.]88:21: 1st Troy Reverse Shell
– 27.102.107[.]224:8443: 1st Troy Reverse Shell
– 4.246.149[.]227:8080: TigerRat
– 13.76.133[.]68:8080: TigerRat
– 217.195.153[.]233:443: TigerRat
– 217.195.153[.]233：443： 虎鼠
– bbs.topigsnorsvin.com[.]ec:8080: Black RAT
– 27.102.129[.]196:8088: Black RAT
– 13.76.133[.]68:10443: NukeSped variant
– 13.76.133[.]68：10443：NukeSped 变体
– 46.183.223[.]21:8080: Goat RAT
– 46.183.223[.]21：8080： 山羊老鼠
– chinesekungfu[.]org:443: AndarLoader
– 中国功夫[.]org：443： AndarLoader
– privatemake.bounceme[.]net:443: AndarLoader
– privatemake.bounceme[.]net：443： AndarLoader
– 8.213.128[.]76:1012: DurianBeacon Go
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
订阅 AhnLab 的下一代威胁情报平台“AhnLab TIP”，查看相关的 IOC 和详细分析信息。
转载请注明：Analysis of Andariel’s New Attack Activities | CTF导航