Andariel
Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.[1][2][3][4][5]
Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.[6]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
Associated Group Descriptions
| Name | Description |
|---|---|
| Silent Chollima |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | Data from Local System |
Andariel has collected large numbers of files from compromised network systems for later extraction.[1] |
|
| Enterprise | T1189 | Drive-by Compromise |
Andariel has used watering hole attacks, often with zero-day exploits, to gain initial access to victims within a specific IP range.[3][4] |
|
| Enterprise | T1203 | Exploitation for Client Execution |
Andariel has exploited numerous ActiveX vulnerabilities, including zero-days.[1][2][4] |
|
| Enterprise | T1592 | .002 | Gather Victim Host Information: Software |
Andariel has inserted a malicious script within compromised websites to collect potential victim information such as browser type, system language, Flash Player version, and other data.[4] |
| Enterprise | T1590 | .005 | Gather Victim Network Information: IP Addresses |
Andariel has limited its watering hole attacks to specific IP address ranges.[3] |
| Enterprise | T1105 | Ingress Tool Transfer |
Andariel has downloaded additional tools and malware onto compromised hosts.[3] |
|
| Enterprise | T1027 | .003 | Obfuscated Files or Information: Steganography |
Andariel has hidden malicious executables within PNG files.[7][8] |
| Enterprise | T1588 | .001 | Obtain Capabilities: Malware |
Andariel has used a variety of publicly-available remote access Trojans (RATs) for its operations.[1] |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Andariel has conducted spearphishing campaigns that included malicious Word or Excel attachments.[3][7] |
| Enterprise | T1057 | Process Discovery |
Andariel has used |
|
| Enterprise | T1049 | System Network Connections Discovery |
Andariel has used the |
|
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Andariel has attempted to lure victims into enabling malicious macros within email attachments.[3] |
Software
References
- FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 29, 2021.
- IssueMakersLab. (2017, May 1). Operation GoldenAxe. Retrieved September 29, 2021.
- AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.
- Chen, Joseph. (2018, July 16). New Andariel Reconnaissance Tactics Uncovered. Retrieved September 29, 2021.
- CrowdStrike. (2021, September 29). Silent Chollima Adversary Profile. Retrieved September 29, 2021.
- US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.
- Jazi, H. (2021, April 19). Lazarus APT conceals malicious code within BMP image to drop its RAT . Retrieved September 29, 2021.
- Park, S. (2021, June 15). Andariel evolves to target South Korea with ransomware. Retrieved September 29, 2021.