EXECUTIVE SUMMARY
Recent intelligence has confirmed a series of Advanced Persistent Threat (APT) attacks by the Andariel group targeting domestic companies and institutions. These attacks have primarily focused on manufacturing companies, construction firms, and educational institutions, employing backdoors, keyloggers, infostealers, and proxy tools to compromise and control infected systems. The attackers have managed to steal sensitive data by leveraging these malicious codes. Notably, the malware used in these attacks includes known threats such as Nestdoor and various web shells, with some tools previously associated with the Lazarus group also being deployed.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Recent intelligence has confirmed a series of Advanced Persistent Threat (APT) attacks by the Andariel group targeting domestic companies and institutions. These attacks have primarily focused on manufacturing companies, construction firms, and educational institutions, employing backdoors, keyloggers, infostealers, and proxy tools to compromise and control infected systems. The attackers have managed to steal sensitive data by leveraging these malicious codes. Notably, the malware used in these attacks includes known threats such as Nestdoor and various web shells, with some tools previously associated with the Lazarus group also being deployed.[emaillocker id="1283"]
The technical analysis reveals that the Andariel group exploited vulnerabilities in web servers running outdated Apache Tomcat software to distribute their malware. Nestdoor, a Remote Access Trojan (RAT) identified remains a key component in these attacks, capable of executing commands, keylogging, and performing reverse shells. Additionally, a new malware variant named Dora RAT, developed in the Go language, was discovered, featuring basic control functions and file operations. Attackers also used separate keyloggers and clipboard loggers to capture sensitive information and deployed stealer malware to exfiltrate large volumes of data. Proxy tools, including those with similarities to Lazarus group’s tools, were used to facilitate communication and data theft.
The Andariel group continues to pose a significant threat, particularly to organizations in Korea. Initially focused on gathering security-related information, their objectives have expanded to include financial gains. Common infiltration methods include spear-phishing, watering hole attacks, and exploiting software vulnerabilities. To mitigate these risks, it is crucial to exercise caution with email attachments from unknown sources and downloaded executable files. Organizations should ensure that software vulnerabilities are patched promptly and that all systems, including OS and browsers, are kept up to date with the latest security patches and antivirus updates. Proactive measures and vigilant cybersecurity practices are essential to protect against such sophisticated threats.
THREAT PROFILE:
| Tactic | Technique Id | Technique |
| Initial Access | T1190 | Exploit Public-Facing Application |
| Execution | T1059 | Command and Scripting Interpreter |
| T1203 | Exploitation for Client Execution | |
| Persistence | T1053 | Scheduled Task/Job |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
| T1036 | Masquerading | |
| Credential Access | T1056 | Input Capture |
| Discovery | T1083 | File and Directory Discovery |
| Collection | T1119 | Automated Collection |
| T1005 | Data from Local System | |
| Command and Control | T1071 | Application Layer Protocol |
| T1090 | Proxy | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Impact | T1499 | Endpoint Denial of Service |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/apt-attacks-manufacturers-tools/
[/emaillocker]