Follow on X RSS Feed
Ransomware

Andariel Hacking Group Targets Global Defense and Infrastructure Sectors

Cybersec Sentinel

3 min read
Andariel Hacking Group Targets Global Defense and Infrastructure Sectors

Threat Group: - Andariel (Subgroup of Lazarus Group, aka Stonefly, Silent Chollima, Onyx Sleet)
Threat Type: - Advanced Persistent Threat (APT), Ransomware, Cyber Espionage
Exploited Vulnerabilities: - CVE-2023-22515 (Atlassian Confluence), CVE-2023-27350 (PaperCut), CVE-2023-42793 (TeamCity), CVE-2021-44228 (Apache Log4j)
Malware Used: - DTrack, Maui, Dora RAT, Nukebot, SHATTEREDGLASS, Sliver, Mimikatz
Threat Score: - High (8.7/10)
Last Threat Observation: - October 2024

Overview

Andariel, a notorious subgroup of the Lazarus Group, has expanded its operations to focus on both cyber espionage and financially motivated attacks. Its targets include defense, aerospace, nuclear programs, healthcare, and critical infrastructure sectors worldwide. Leveraging custom malware and publicly known vulnerabilities, the group continues to conduct high-profile ransomware campaigns and data theft operations. Its notable use of tools like DTrack and Maui ransomware has enabled significant financial gains while furthering North Korea's strategic objectives.

Key Details

Delivery Method:

  • Spear-phishing campaigns and exploitation of known vulnerabilities in internet-facing applications, such as Atlassian Confluence and PaperCut.

Target:

  • Critical infrastructure, including defense, aerospace, energy, healthcare, and financial institutions.

Functions:

  1. Ransomware Deployment using Maui and SHATTEREDGLASS for extortion.
  2. Data Exfiltration through DTrack and Nukebot malware.
  3. Credential Harvesting with tools like Mimikatz for lateral movement.
  4. Remote Access via custom remote access trojans (RATs) such as Dora RAT and EarlyRat.
  5. Obfuscation Techniques to evade detection, including the use of fraudulent digital certificates.

Obfuscation:

  • Andariel uses fake digital certificates (e.g., impersonating Tableau Software) and employs encryption techniques to hide its malware and C2 communications, making detection difficult for traditional security tools.

Attack Vectors

Andariel primarily gains access to target networks via spear-phishing attacks. Once initial access is obtained, the group exploits known vulnerabilities, like CVE-2023-22515 in Atlassian Confluence and CVE-2021-44228 in Apache Log4j, to establish persistence. From there, they deploy remote access tools such as Dora RAT and DTrack, along with credential-stealing tools like Mimikatz, to escalate their operations. Their campaigns often culminate in the deployment of ransomware, such as Maui, to extort victims.

Known Indicators of Compromise (IoCs)

File Hashes (SHA256):

  • f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5 (Backdoor.Preft)
  • d71f478b1d5b8e489f5daafda99ad203de356095278c216a421694517826b79a (Keylogger)
  • a7711b8314b256d279e104ea3809f0668d3615fba584ca887d9c495795d0a98e (Malicious file)

Dora RAT File Hashes (MD5):

  • 4bc571925a80d4ae4aab1e8900bf753c (Dora RAT dropper)
  • 951e9fcd048b919516693b25c13a9ef2 (Dora RAT injector)
  • d92a317ef4d60dc491082a2fe6eb7a70 (Dora RAT executable)

Domains:
Andariel uses compromised cloud infrastructure and fraudulent digital certificates for command-and-control (C2) operations.

C2 Servers:

  • 45.58.159[.]237:443
  • 209.127.19[.]223:443

Mitigation and Prevention

User Awareness:

  • Conduct training to help users recognize phishing emails and suspicious links or attachments.

Email Filtering:

  • Implement email filtering to block spear-phishing emails with known malicious indicators.

Antivirus Protection:

  • Ensure endpoint protection is in place and regularly updated to detect tools like DTrack, Sliver, and Mimikatz.

Two-Factor Authentication (2FA):

  • Implement 2FA across all user accounts, particularly those with administrative privileges.

Monitor Logs:

  • Review network and system logs regularly for unusual activity, especially for outgoing traffic to known C2 infrastructure.

Regular Updates:

  • Apply patches for known vulnerabilities, especially those targeted by Andariel (e.g., CVE-2023-22515, CVE-2021-44228).

Podcast Discussion

Listen to our latest podcast episode, where we discuss Andariel’s latest attacks, their evolving tactics, and how organizations can defend against these persistent threats.

audio-thumbnail
Andariel Hacking Group Targets Global Defense and Infrastructure Sectors
0:00
/636.36

Conclusion

Andariel remains a significant threat to global organizations, particularly those in critical sectors such as defense and healthcare. Their evolving toolkit, which includes ransomware and custom RATs, along with sophisticated obfuscation techniques, enables them to remain undetected while carrying out both espionage and financially motivated attacks. Organizations should prioritize robust patch management and security awareness to mitigate the risk from this persistent APT group.

Sources:

  1. The Hacker News, "North Korean Hacker Group Andariel Strikes with New EarlyRat Malware"
  2. Breaking Defense, "US and South Korea Warn of Andariel Attacks"