Andariel

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.[1][2][3][4][5]

Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.[6]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

ID: G0138
Associated Groups: Silent Chollima
Contributors: Kyoung-ju Kwak (S2W)
Version: 1.0
Created: 29 September 2021
Last Modified: 15 October 2021

Associated Group Descriptions

Name Description
Silent Chollima

[5]

Techniques Used

Domain ID Name Use
Enterprise T1005 Data from Local System

Andariel has collected large numbers of files from compromised network systems for later extraction.[1]

Enterprise T1189 Drive-by Compromise

Andariel has used watering hole attacks, often with zero-day exploits, to gain initial access to victims within a specific IP range.[3][4]

Enterprise T1203 Exploitation for Client Execution

Andariel has exploited numerous ActiveX vulnerabilities, including zero-days.[1][2][4]

Enterprise T1592 .002 Gather Victim Host Information: Software

Andariel has inserted a malicious script within compromised websites to collect potential victim information such as browser type, system language, Flash Player version, and other data.[4]

Enterprise T1590 .005 Gather Victim Network Information: IP Addresses

Andariel has limited its watering hole attacks to specific IP address ranges.[3]

Enterprise T1105 Ingress Tool Transfer

Andariel has downloaded additional tools and malware onto compromised hosts.[3]

Enterprise T1027 .003 Obfuscated Files or Information: Steganography

Andariel has hidden malicious executables within PNG files.[7][8]

Enterprise T1588 .001 Obtain Capabilities: Malware

Andariel has used a variety of publicly-available remote access Trojans (RATs) for its operations.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Andariel has conducted spearphishing campaigns that included malicious Word or Excel attachments.[3][7]

Enterprise T1057 Process Discovery

Andariel has used tasklist to enumerate processes and find a specific string.[8]

Enterprise T1049 System Network Connections Discovery

Andariel has used the netstat -naop tcp command to display TCP connections on a victim's machine.[8]

Enterprise T1204 .002 User Execution: Malicious File

Andariel has attempted to lure victims into enabling malicious macros within email attachments.[3]

Software

ID Name References Techniques
S0032 gh0st RAT [3] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: Clear Windows Event Logs, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution
S0433 Rifdoor [3] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Encrypted Channel: Symmetric Cryptography, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information, Phishing: Spearphishing Attachment, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, User Execution: Malicious File

References