Andariel Criminal Group

The Andariel Criminal Group is a state-sponsored threat actor that has shown continued focus on targeting entities located in South Korea. The cybercriminals also have displayed a financially motivated side to their operations. Previously, the group has targeted ATMs in South Korea directly, while in the latest serious of attack attributed to the group, the hackers deployed a ransomware threat to one of their victims. It should be noted that the Andarial Criminal Group has been designated as a sub-group of the Lazarus APT (Advanced Persistent Threat) group by the Korean Financial Security Institute.

So far the victims of the Andariel Criminal Group show little connections between each other. Each victim has been active in their respective verticals, without clear links to any of the other targeted entities. Infosec researchers have discovered victims of the group working in the manufacturing, media, construction, and home network service sectors.

A Complex Attack Chain

The operations carried out by the Andariel Criminal Group have continued to evolve and become more complex. The latest observed campaign consists of multiple specialized corrupted payloads, each deployed in a separate stage of the attack. The hackers use weaponized document files as an initial vector of compromise. The documents are designed to carry out sophisticated infection methods that make detection harder significantly. While in most cases, a weaponized Microsoft Word document was delivered to the victims, there also are several instances where the Andariel Criminal Group resorted to a corrupted file disguised as a PDF doc. Upon execution, the documents deliver the second stage payload - a malware threat responsible for establishing contact with the Command-and-Control (C2, C&C) servers and preparing the environment for the next payload.

The second-stage malware can perform 5 specific functions according to the commands it receives from the C2. These include setting a Sleep interval, saving any received data in a local file, executing the received data via CreateThread(), and executing the given commands either via WinExec API or cmd.exe. In the third stage of the attack, the Andariel Criminal Group deploys a backdoor payload onto the victim's machine. The backdoor is executed in the operation interactively and contains x64 and x86 versions. The threat attempts to disguise itself as Internet Explorer or Google Chrome by using their icons and associated file names. The third-stage threat scans the compromised system for signs of a sandbox environment. It checks for the presence of specific modules belonging to Sandboxie and SunBelt SandBox.

On a single victim, the Andariel Criminal Group escalated the attack by dropping a custom-made ransomware threat. The malware uses an AES-128 CBC mode algorithm to encrypt all files regardless of their size with the exception of system-critical extensions such as '.exe,' '.dll,' '.sys,' '.msiins,' and '.drv.' The default extension appended to the locked files is '.3nc004' and that is also the name given to the text file carrying the ransom note. The text of the note reveals that the hackers want to receive a ransom paid in bitcoin and they offer to decrypt two files for free.


Most Viewed