Analysis of Attack Cases Against Korean Solutions by the Andariel Group (SmallTiger)
Contents
Analysis of Attack Cases Against Korean Solutions by the Andariel Group (SmallTiger)
The Andariel group has been attacking various software used by South Korean companies since the past [1]. Notably, these include asset management solutions and data loss prevention (DLP) solutions, and vulnerability attack cases have also been identified in various other solutions.
Attack cases by the Andariel group are continuing in the second half of 2024, primarily installing SmallTiger. [2] A major example of software targeted for exploitation is Korean asset management solutions that have been exploited for years, and there are also indications of exploitation involving a document centralization solution.
1. Attack Cases on Korean Asset Management Solutions
Asset management solutions are continuously exploited in attacks, and due to their nature, it is presumed that after the control server is compromised, the threat actor exploits it to execute malware installation commands. In most of these attack cases, ModeLoader was installed.
Additionally, there has …
The Andariel group has been attacking various software used by South Korean companies since the past [1]. Notably, these include asset management solutions and data loss prevention (DLP) solutions, and vulnerability attack cases have also been identified in various other solutions.
Attack cases by the Andariel group are continuing in the second half of 2024, primarily installing SmallTiger. [2] A major example of software targeted for exploitation is Korean asset management solutions that have been exploited for years, and there are also indications of exploitation involving a document centralization solution.
1. Attack Cases on Korean Asset Management Solutions
Asset management solutions are continuously exploited in attacks, and due to their nature, it is presumed that after the control server is compromised, the threat actor exploits it to execute malware installation commands. In most of these attack cases, ModeLoader was installed.
Additionally, there has …
IoC
http://45.61.148.153
http://45.61.148.153/pizza.jsp
20.20.100.32
45.61.148.153
http://45.61.148.153/pizza.jsp
20.20.100.32
45.61.148.153