Analysis of Andariel's New Attack Activities
Contents
|Contents|
1. Past attack cases
…. 1.1. Cases of Innorix Agent abuse
…….. 1.1.1. NukeSped variant – Volgmer
…….. 1.1.2. Andardoor
…….. 1.1.3. 1th Troy Reverse Shell
…. 1.2. Cases of attacks against Korean corporations
…….. 1.2.1. TigerRat
…….. 1.2.2. Black RAT
…….. 1.2.3. NukeSped variants
2. Cases of recent attacks
…. 2.1. Cases of Innorix Agent abuse
…….. 2.1.1. Goat RAT
…. 2.2. Cases of attacks against Korean corporations
…….. 2.2.1. AndarLoader
…….. 2.2.2. DurianBeacon
3. Connections to recent attack cases
4. Connections to past attack cases of the Andariel group
5. Conclusion
The Andariel threat group which usually targets Korean corporations and organizations is known to be affiliated with the Lazarus threat group or one of its subsidiaries. Attacks against Korean targets have been identified since 2008. Major target industries are those related to national security such as national defense, political organizations, shipbuilding, energy, and communications. Various other companies and institutes in Korea including universities, logistics, and ICT companies are also becoming attack targets. [1] (this report …
1. Past attack cases
…. 1.1. Cases of Innorix Agent abuse
…….. 1.1.1. NukeSped variant – Volgmer
…….. 1.1.2. Andardoor
…….. 1.1.3. 1th Troy Reverse Shell
…. 1.2. Cases of attacks against Korean corporations
…….. 1.2.1. TigerRat
…….. 1.2.2. Black RAT
…….. 1.2.3. NukeSped variants
2. Cases of recent attacks
…. 2.1. Cases of Innorix Agent abuse
…….. 2.1.1. Goat RAT
…. 2.2. Cases of attacks against Korean corporations
…….. 2.2.1. AndarLoader
…….. 2.2.2. DurianBeacon
3. Connections to recent attack cases
4. Connections to past attack cases of the Andariel group
5. Conclusion
The Andariel threat group which usually targets Korean corporations and organizations is known to be affiliated with the Lazarus threat group or one of its subsidiaries. Attacks against Korean targets have been identified since 2008. Major target industries are those related to national security such as national defense, political organizations, shipbuilding, energy, and communications. Various other companies and institutes in Korea including universities, logistics, and ICT companies are also becoming attack targets. [1] (this report …
IoC
01ccce480c60fcdb67b54f4509ffdb56
0211a3160cc5871cbcd4e5514449162b
0a09b7f2317b3d5f057180be6b6d0755
109.248.150.179
13.76.133.68
139.177.190.243
1ffccc23fef2964e9b1747098c19d956
217.195.153.233
27.102.107.224
27.102.107.230
27.102.107.233
27.102.107.234
27.102.107.235
27.102.113.88
27.102.129.196
4.246.144.112
4.246.149.227
426bb55531e8e3055c942a1a035e46b9
46.183.223.21
5291aed100cc48415636c4875592f70c
5a3f3f75048b9cec177838fb8b40b945
6ab4eb4c23c9e419fbba85884ea141f4
6de6c27ca8f4e00f0b3e8ff5185a59d1
79e474e056b4798e0a3e7c60dd67fd28
8.213.128.76
8434cdd34425916be234b19f933ad7ea
88a7c84ac7f7ed310b5ee791ec8bd6c5
9112efb49cae021abebd3e9a564e6ca4
95c276215dcc1bd7606c0cb2be06bf70
9d7bd0caed10cc002670faff7ca130f5
ac0ada011f1544aa3a1cf27a26f2e288
bbaee4fe73ccff1097d635422fdc0483
bcac28919fa33704a01d7a9e5e3ddf3f
bda0686d02a8b7685adf937cbcd35f46
c61a8c4f6f6870c7ca0013e084b893d2
c892c60817e6399f939987bd2bf5dee0
cfae52529468034dbbb40c9a985fa504
dd7b696b96434d2bf07b34f9c125d51d
deae4be61c90ad6d499f5bdac5dad242
e5410abaaac69c88db84ab3d0e9485ac
eb35b75369805e7a6371577b1d2c4531
f4795f7aec4389c8323f7f40b50ae46f
http://109.248.150.179:443
http://13.76.133.68:10443
http://13.76.133.68:8080
http://139.177.190.243/update.exe
http://139.177.190.243:443
http://217.195.153.233:443
http://27.102.107.224/update.exe
http://27.102.107.224:5443
http://27.102.107.224:8443
http://27.102.107.230/mstcs.exe
http://27.102.107.230/update.exe
http://27.102.107.233/client.exe
http://27.102.107.233/update.exe
http://27.102.107.234/update.exe
http://27.102.107.234:8443
http://27.102.107.235/mstcs.exe
http://27.102.113.88/client.exe
http://27.102.113.88/update.exe
http://27.102.113.88:21
http://27.102.113.88:5443
http://27.102.129.196:8088
http://4.246.144.112/update.exe
http://4.246.144.112:443
http://4.246.149.227:8080
http://46.183.223.21:8080
http://8.213.128.76:1012
http://bbs.topigsnorsvin.com.ec:8080
http://chinesekungfu.org:443
http://privatemake.bounceme.net:443
http://www.ipservice.kro.kr/creditsvc.exe
http://www.ipservice.kro.kr/dataSeq.exe
0211a3160cc5871cbcd4e5514449162b
0a09b7f2317b3d5f057180be6b6d0755
109.248.150.179
13.76.133.68
139.177.190.243
1ffccc23fef2964e9b1747098c19d956
217.195.153.233
27.102.107.224
27.102.107.230
27.102.107.233
27.102.107.234
27.102.107.235
27.102.113.88
27.102.129.196
4.246.144.112
4.246.149.227
426bb55531e8e3055c942a1a035e46b9
46.183.223.21
5291aed100cc48415636c4875592f70c
5a3f3f75048b9cec177838fb8b40b945
6ab4eb4c23c9e419fbba85884ea141f4
6de6c27ca8f4e00f0b3e8ff5185a59d1
79e474e056b4798e0a3e7c60dd67fd28
8.213.128.76
8434cdd34425916be234b19f933ad7ea
88a7c84ac7f7ed310b5ee791ec8bd6c5
9112efb49cae021abebd3e9a564e6ca4
95c276215dcc1bd7606c0cb2be06bf70
9d7bd0caed10cc002670faff7ca130f5
ac0ada011f1544aa3a1cf27a26f2e288
bbaee4fe73ccff1097d635422fdc0483
bcac28919fa33704a01d7a9e5e3ddf3f
bda0686d02a8b7685adf937cbcd35f46
c61a8c4f6f6870c7ca0013e084b893d2
c892c60817e6399f939987bd2bf5dee0
cfae52529468034dbbb40c9a985fa504
dd7b696b96434d2bf07b34f9c125d51d
deae4be61c90ad6d499f5bdac5dad242
e5410abaaac69c88db84ab3d0e9485ac
eb35b75369805e7a6371577b1d2c4531
f4795f7aec4389c8323f7f40b50ae46f
http://109.248.150.179:443
http://13.76.133.68:10443
http://13.76.133.68:8080
http://139.177.190.243/update.exe
http://139.177.190.243:443
http://217.195.153.233:443
http://27.102.107.224/update.exe
http://27.102.107.224:5443
http://27.102.107.224:8443
http://27.102.107.230/mstcs.exe
http://27.102.107.230/update.exe
http://27.102.107.233/client.exe
http://27.102.107.233/update.exe
http://27.102.107.234/update.exe
http://27.102.107.234:8443
http://27.102.107.235/mstcs.exe
http://27.102.113.88/client.exe
http://27.102.113.88/update.exe
http://27.102.113.88:21
http://27.102.113.88:5443
http://27.102.129.196:8088
http://4.246.144.112/update.exe
http://4.246.144.112:443
http://4.246.149.227:8080
http://46.183.223.21:8080
http://8.213.128.76:1012
http://bbs.topigsnorsvin.com.ec:8080
http://chinesekungfu.org:443
http://privatemake.bounceme.net:443
http://www.ipservice.kro.kr/creditsvc.exe
http://www.ipservice.kro.kr/dataSeq.exe