The Andariel group, identified as a South Korean threat actor and believed to be connected with or a subsidiary of the Lazarus group, has been involved in distributing malware via an attack exploiting an asset management program. This information has been analyzed and reported by AhnLab Smart Defense (ASD) and the ASEC analysis team. The Andariel group has been active since at least 2009 and is known for targeting South Korean government agencies, military organizations, and various domestic companies, along with conducting cyber financial operations against ATMs, banks, and cryptocurrency exchanges.
In their recent operations, Andariel has been exploiting vulnerabilities in numerous programs such as Log4Shell and Innorix Agent to attack targets across various sectors in South Korea. They have used malware like TigerRAT, NukeSped variants, Black RAT, and Lilith RAT in their attacks. Additionally, an attack targeting MS-SQL Server was also identified around the same time as these incidents
IoC
domains
- song.th
URL
- http://84.38.132.67:9479/netpass.png
- http://84.38.132.67:9479/fav.ico
- http://27.102.128.152:8098/load.png
- http://27.102.118.204:6099/fav.ico
- http://185.29.8.108:8585/view.php
- http://185.29.8.108:8585/load.html
- http://185.29.8.108:8080
- http://185.29.8.108:4443
- http://185.29.8.108:443
REFERECES
- https://asec.ahnlab.com/en/59073/
- https://otx.alienvault.com/pulse/655b181c20eca1d03e584eb2
No comments:
Post a Comment