Analysis of Andariel’s New Attack Activities – ASEC BLOG

MITRE Techniques

• [T1566.001] Spearphishing Attachment – The Andariel campaign historically uses spear phishing to distribute malware; “During the initial compromise stage, the Andariel threat group usually employs spear phishing, watering hole, and supply chain attacks.”
• [T1189] Watering Hole – Indicated as part of initial access techniques alongside spear phishing. “During the initial compromise stage, the Andariel threat group usually employs spear phishing, watering hole, and supply chain attacks.”
• [T1195] Supply Chain Compromise – Mentioned as part of initial access methods. “…spear phishing, watering hole, and supply chain attacks.”
• [T1027] Obfuscated/Compressed Files and Information – Obfuscation of and/or Dotfuscator usage for AndarLoader; “obfuscated with the Dotfuscator tool.”
• [T1218.005] Signed Binary Proxy Execution: Mshta – Use of mshta.exe to install TigerRat; “Mshta process installing TigerRat”
• [T1059.003] Windows Command Shell – Goat RAT and other Go backdoors show commands like “cmd /c tasklist” and “cmd /c ipconfig /all”
• [T1059.001] PowerShell – AndarLoader delivered via PowerShell; “installed via PowerShell”
• [T1071.001] Web Protocols – C2 communications use HTTP/HTTPS; “uses the HTTP protocol to communicate with the C&C server” and SSL in various variants
• [T1573] Encrypted Channel – SSL-based C2 communications in DurianBeacon Go version; “SSL encryption to communicate with the C&C server”
• [T1133] External Remote Services – Ngrok used for RDP connections during attacks; “Ngrok was installed for RDP connection during the attack process”
• [T1003.001] Credential Dumping – Mimikatz installed on infected systems; “installing Mimikatz in the infected system”
• [T1555.003] Credentials in Web Browsers – Infostealer in past attacks targeted browser-stored credentials; “steals account credentials saved in Internet Explorer, Chrome, and Firefox”