The Andariel threat group which usually targets Korean corporations and organizations is known to be affiliated with the Lazarus threat group or one of its subsidiaries. Attacks against Korean targets have been identified since 2008. Major target industries are those related to national security such as national defense, political organizations, shipbuilding, energy, and communications. Various other companies and institutes in Korea including universities, logistics, and ICT companies are also becoming attack targets.
The initial compromise stage of the Andariel threat group's activities. They primarily rely on a combination of spear phishing, watering hole attacks, and supply chain vulnerabilities for their initial compromises. Of particular note is their shift towards using malware strains developed in the Go language attacks. These malware strains exhibit characteristics such as reverse shell capabilities, command execution, and self-deletion features. Notable examples include Goat RAT, Black RAT, AndarLoader, and DurianBeacon, with specific details on their communication protocols, encryption methods, and functionality provided. Furthermore, the blog highlights the exploitation of vulnerabilities, particularly the abuse of Innorix Agent, as a common method for malware distribution in recent attacks. The identification of shared C&C servers and attack patterns across different malware strains suggests a coordinated effort by the Andariel group, linking the recent attacks to their past activities. This emphasis on technical intricacies underscores the need for organizations to bolster their cybersecurity defenses, regularly update software, and exercise caution with email attachments and downloads from unknown sources to mitigate the risks posed by this sophisticated threat group.
The Andariel threat group remains a significant cybersecurity concern for Korean organizations, employing various tactics and evolving their malware capabilities. Organizations are urged to remain vigilant and keep their systems up to date to prevent malware infections.
The following reports contain further technical details: