Andariel evolves to target South Korea with ransomware
Contents
Executive summary
In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. While we were doing our research into these findings, Malwarebytes published a nice report with technical details about the same series of attacks, which they attributed to the Lazarus group. After a deep analysis, we came to a more precise conclusion: the Andariel group was behind these attacks. Andariel was designated by the Korean Financial Security Institute as a sub-group of Lazarus.
Our attribution is based on the code overlaps between the second stage payload in this campaign and previous malware from the Andariel group. Apart from the code similarity, we found an additional connection with the Andariel group. Each threat actor has characteristics when they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands and their options were …
In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. While we were doing our research into these findings, Malwarebytes published a nice report with technical details about the same series of attacks, which they attributed to the Lazarus group. After a deep analysis, we came to a more precise conclusion: the Andariel group was behind these attacks. Andariel was designated by the Korean Financial Security Institute as a sub-group of Lazarus.
Our attribution is based on the code overlaps between the second stage payload in this campaign and previous malware from the Andariel group. Apart from the code similarity, we found an additional connection with the Andariel group. Each threat actor has characteristics when they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands and their options were …
IoC
0812ce08a75e5fc774a114436e88cd06
0ecfa51cd4bf1a9841a07bdb5bfcd0ab
118cfa75e386ed45bec297f8865de671
145735911e9c8bafa4c9c1d7397199fc
159ad2afcab80e83397388e495d215a5
185.208.158.208
198.55.119.112
1bb267c96ec2925f6ae3716d831671cf
21ec5f03aab696f0a239c6ea5e50c014
23.229.111.197
25c8e057864126e6648c34581e7b4f20
33c2e887c3d337eeffbbd8745bfdfc8f
[email protected]
3703c22e33629abd440483e0f60abf79
38917e8aa02b58b09401383115ab549e
3b1b8702c4d3e2e194c4cc8f09a57d06
3b494133f1a673b2b04df4f4f996a25d
3ba4c71c6b087e6d06d668bb22a5b59a
3bf9b83e00544ac383aaef795e3ded78
45.58.112.77
4B762A554559586F6A45656545654130
4d30612a928faf7643b14bd85d8433cc
53648bf8f0121130edb42c626d7c2fc4
551c5b3595e9fc1081b5e1f10e3c1a59
569246a3325effa11cb8ff362428ab2c
5b387a9130e9b9782ca4c225c8e641b3
62eae43a36cbc4ed935d8df007f5650b
67220baf2a415876bee2d43c11f6e9ad
6e710f6f02fdde1e4adf06935a296fd8
71759cca8c700646b4976b19b9abd6fe
8b378eabcec13c3c925cc7ca4d191f5f
8d74112c97e98fef4c5d77200f34e4f2
927f0a1090255bc724953e1f5a09a070
9758efcf96343d0ef83854860195c4b4
abaeecd83a585ec0c5f1153199938e83
b5648f5e115da778615dfd0dc772b647
b5874eb1119327be51ae03adcbf4d3e0
bf4a822f04193b953689e277a9e1f4f1
d1a99087fa3793fbc4d0adb26e87efce
d5e974a3386fc99d2932756ca165a451
d63bb2c5cd4cfbe8fabf1640b569db6a
d96fcd2159643684f4573238f530d03b
df1e7a42c92ecb01290d896dca4e5faa
ed9aa858ba2c4671ca373496a4dd05d4
eef723ff0b5c0b10d391955250f781b3
ef3a6978c7d454f9f6316f2d267f108d
f3fcb306cb93489f999e00a7ef63536b
f4d46629ca15313b94992f3798718df7
fc3c31bbdbeee99aba5f7a735fac7a7e
fffad123bd6df76f94ffc9b384a067fc
http://23.229.111.197
http://Files\Unidocs\ezPDFReader2.0G......\Windows\System32\mshta.exe
http://adame.ypelec.co.kr/customize/ypelec/images/skin.html
http://ddjm.co.kr/bbs/icon/skin/skin.php
http://hivekorea.com/jdboard/member/list.php
http://mail.namusoft.kr/jsp/user/eam/board.jsp
http://mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp
http://protonmail.com
http://snum.or.kr/skin_img/skin.php
http://www.allamwith.com
http://www.allamwith.com/home/css/skin.html
http://www.allamwith.com/home/mobile/list.php
http://www.conkorea.com/cshop/banner/list.php
http://www.conkorea.com/cshop/skin/skin.html
http://www.ddjm.co.kr/bbs/icon/skin/skin.php
http://www.jinjinpig.co.kr/AnyCss/skin.html
http://www.jinjinpig.co.kr/Anyboard/skin/board.php
0ecfa51cd4bf1a9841a07bdb5bfcd0ab
118cfa75e386ed45bec297f8865de671
145735911e9c8bafa4c9c1d7397199fc
159ad2afcab80e83397388e495d215a5
185.208.158.208
198.55.119.112
1bb267c96ec2925f6ae3716d831671cf
21ec5f03aab696f0a239c6ea5e50c014
23.229.111.197
25c8e057864126e6648c34581e7b4f20
33c2e887c3d337eeffbbd8745bfdfc8f
[email protected]
3703c22e33629abd440483e0f60abf79
38917e8aa02b58b09401383115ab549e
3b1b8702c4d3e2e194c4cc8f09a57d06
3b494133f1a673b2b04df4f4f996a25d
3ba4c71c6b087e6d06d668bb22a5b59a
3bf9b83e00544ac383aaef795e3ded78
45.58.112.77
4B762A554559586F6A45656545654130
4d30612a928faf7643b14bd85d8433cc
53648bf8f0121130edb42c626d7c2fc4
551c5b3595e9fc1081b5e1f10e3c1a59
569246a3325effa11cb8ff362428ab2c
5b387a9130e9b9782ca4c225c8e641b3
62eae43a36cbc4ed935d8df007f5650b
67220baf2a415876bee2d43c11f6e9ad
6e710f6f02fdde1e4adf06935a296fd8
71759cca8c700646b4976b19b9abd6fe
8b378eabcec13c3c925cc7ca4d191f5f
8d74112c97e98fef4c5d77200f34e4f2
927f0a1090255bc724953e1f5a09a070
9758efcf96343d0ef83854860195c4b4
abaeecd83a585ec0c5f1153199938e83
b5648f5e115da778615dfd0dc772b647
b5874eb1119327be51ae03adcbf4d3e0
bf4a822f04193b953689e277a9e1f4f1
d1a99087fa3793fbc4d0adb26e87efce
d5e974a3386fc99d2932756ca165a451
d63bb2c5cd4cfbe8fabf1640b569db6a
d96fcd2159643684f4573238f530d03b
df1e7a42c92ecb01290d896dca4e5faa
ed9aa858ba2c4671ca373496a4dd05d4
eef723ff0b5c0b10d391955250f781b3
ef3a6978c7d454f9f6316f2d267f108d
f3fcb306cb93489f999e00a7ef63536b
f4d46629ca15313b94992f3798718df7
fc3c31bbdbeee99aba5f7a735fac7a7e
fffad123bd6df76f94ffc9b384a067fc
http://23.229.111.197
http://Files\Unidocs\ezPDFReader2.0G......\Windows\System32\mshta.exe
http://adame.ypelec.co.kr/customize/ypelec/images/skin.html
http://ddjm.co.kr/bbs/icon/skin/skin.php
http://hivekorea.com/jdboard/member/list.php
http://mail.namusoft.kr/jsp/user/eam/board.jsp
http://mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp
http://protonmail.com
http://snum.or.kr/skin_img/skin.php
http://www.allamwith.com
http://www.allamwith.com/home/css/skin.html
http://www.allamwith.com/home/mobile/list.php
http://www.conkorea.com/cshop/banner/list.php
http://www.conkorea.com/cshop/skin/skin.html
http://www.ddjm.co.kr/bbs/icon/skin/skin.php
http://www.jinjinpig.co.kr/AnyCss/skin.html
http://www.jinjinpig.co.kr/Anyboard/skin/board.php