Andariel’s “Jupiter” malware and the case of the curious C2
Contents
Andariel’s “Jupiter” malware and the case of the curious C2
Since 2020 DCSO has been monitoring a publicly undocumented malware family attributed to the Andariel group, a subgroup of the infamous North Korean Lazarus Group. The malware family has remained largely unchanged over the years and only made few appearances.
In early 2023 however, one such appearance seemed particularly noteworthy as the configured Command & Control suggests that the attackers have managed to compromise the web presence of the National Institute of Virology in India and possibly used it to control computers infected with the malware family.
In this blog post, we document the malware and discuss how this finding fits the attacker profile.
Blog authored by Johann Aydinbas, Emilia Neuber, Kritika Roy, Axel Wauer, Jiro Minier and colleagues.
Basic case information
In 2020, DCSO first came across an unknown malware family uploaded to VirusTotal. During our analysis we discovered that we weren’t the first to …
Since 2020 DCSO has been monitoring a publicly undocumented malware family attributed to the Andariel group, a subgroup of the infamous North Korean Lazarus Group. The malware family has remained largely unchanged over the years and only made few appearances.
In early 2023 however, one such appearance seemed particularly noteworthy as the configured Command & Control suggests that the attackers have managed to compromise the web presence of the National Institute of Virology in India and possibly used it to control computers infected with the malware family.
In this blog post, we document the malware and discuss how this finding fits the attacker profile.
Blog authored by Johann Aydinbas, Emilia Neuber, Kritika Roy, Axel Wauer, Jiro Minier and colleagues.
Basic case information
In 2020, DCSO first came across an unknown malware family uploaded to VirusTotal. During our analysis we discovered that we weren’t the first to …
IoC
103.73.189.76
173.249.33.80
173.249.44.87
3.89.226.234
34d5a5d8bec893519f204b573c33d54537b093c52df01b3d8c518af08ee94947
40.121.90.194
664f8d19af3400a325998b332343a9304f03bab9738ddab1530869eff13dae54
772b06f34facf6a2ce351b8679ff957cf601ef3ad29645935cb050b4184c8d51
9a5504dcfb7e664259bfa58c46cfd33e554225daf1cedea2ec2a9d83bbbfe238
aa29bf4292b68d197f4d8ca026b97ec7785796edcb644db625a8f8b66733ab54
c28bb61de4a6ad1c5e225ad9ec2eaf4a6c8ccfff40cf45a640499c0adb0d8740
http://173.249.33.80
http://3.89.226.234/login.php
http://40.121.90.194/help.php
http://eflow.co.kr/member_image/about.php
http://niv.co.in
http://projectcell.niv.co.in
http://projectcell.niv.co.in/non_scientific/service.php
http://sora.bz/xoops_root_path/templates_c/login.php
http://sora.bz/xoops_root_path/uploads/information/about.php
173.249.33.80
173.249.44.87
3.89.226.234
34d5a5d8bec893519f204b573c33d54537b093c52df01b3d8c518af08ee94947
40.121.90.194
664f8d19af3400a325998b332343a9304f03bab9738ddab1530869eff13dae54
772b06f34facf6a2ce351b8679ff957cf601ef3ad29645935cb050b4184c8d51
9a5504dcfb7e664259bfa58c46cfd33e554225daf1cedea2ec2a9d83bbbfe238
aa29bf4292b68d197f4d8ca026b97ec7785796edcb644db625a8f8b66733ab54
c28bb61de4a6ad1c5e225ad9ec2eaf4a6c8ccfff40cf45a640499c0adb0d8740
http://173.249.33.80
http://3.89.226.234/login.php
http://40.121.90.194/help.php
http://eflow.co.kr/member_image/about.php
http://niv.co.in
http://projectcell.niv.co.in
http://projectcell.niv.co.in/non_scientific/service.php
http://sora.bz/xoops_root_path/templates_c/login.php
http://sora.bz/xoops_root_path/uploads/information/about.php