Jump to content
  • Malware Attack on South Korean Entities Was Work of Andariel Group

    aum

    • 562 views
    • 3 minutes
     Share


    • 562 views
    • 3 minutes

    Malware Attack on South Korean Entities Was Work of Andariel Group

     

    A malware campaign targeting South Korean entities that came to light earlier this year has been attributed to a North Korean nation-state hacking group called Andariel, once again indicating that Lazarus attackers are following the trends and their arsenal is in constant development.

     

    "The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity," Russian cybersecurity firm Kaspersky said in a deep-dive published Tuesday. Victims of the attack are in the manufacturing, home network service, media, and construction sectors.

     

    Designated as part of the Lazarus constellation, Andariel is known for unleashing attacks on South Korean organizations and businesses using specifically tailored methods created for maximum effectivity. In September 2019, the sub-group, along with Lazarus and Bluenoroff, was sanctioned by the U.S. Treasury Department for their malicious cyber activity on critical infrastructure.

     

    Andariel is believed to have been active since at least May 2016.

     

    ransomware-hacking.jpg

     

    North Korea has been behind an increasingly orchestrated effort aimed at infiltrating computers of financial institutions in South Korea and around the world as well as staging cryptocurrency heists to fund the cash-strapped country in an attempt to circumvent the stranglehold of economic sanctions imposed to stop the development of its nuclear weapons program.

     

    The findings from Kaspersky build upon a previous report from Malwarebytes in April 2021, which documented a novel infection chain that distributed phishing emails weaponized with a macro embedded in a Word file that's executed upon opening in order to deploy malicious code concealed in the form of a bitmap (.BMP) image file to drop a remote access trojan (RAT) on targeted systems.

     

    According to the latest analysis, the threat actor, besides installing a backdoor, is also said to have delivered file-encrypting ransomware to one of its victims, implying a financial motive to the attacks. It's worth noting that Andariel has a track record of attempting to steal bank card information by hacking into ATMs to withdraw cash or sell customer information on the black market.

     

    "This ransomware sample is custom made and specifically developed by the threat actor behind this attack," Kaspersky Senior Security Researcher Seongsu Park said. "This ransomware is controlled by command line parameters and can either retrieve an encryption key from the C2 [server] or, alternatively, as an argument at launch time."

     

    The ransomware is designed to encrypt all files in the machine with the exception of system-critical ".exe," ".dll," ".sys," ".msiins," and ".drv" extensions in return for paying a bitcoin ransom to gain access to a decrypt tool and unique key to unlock the scrambled files.

     

    Kaspersky's attribution to Andariel stems from overlaps in the XOR-based decryption routine that have been incorporated into the group's tactics as early as 2018 and in the post-exploitation commands executed on victim machines.

     

    "The Andariel group has continued to focus on targets in South Korea, but their tools and techniques have evolved considerably," Park said. "The Andariel group intended to spread ransomware through this attack and, by doing so, they have underlined their place as a financially motivated state-sponsored actor."

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...