Circumstances of an Attack Exploiting an Asset Management Program (Andariel Group)
Contents
The ASEC analysis team identified the circumstances of the Andariel group distributing malware via an attack using a certain asset management program. The Andariel group is known to be in a cooperative relationship with or a subsidiary organization of the Lazarus group.
The Andariel group usually launches spear phishing, watering hole, or supply chain attacks for initial penetration. There is also a case where the group exploited a central management solution during the malware installation process. Recently, the Andariel group has been exploiting vulnerabilities in many programs such as Log4Shell and Innorix Agent to attack targets in various corporate sectors in South Korea. [1]
Another asset management program was used in the recently identified attack. Additionally, an attack targeting MS-SQL Server was also identified at the same time. Malware strains installed through these attacks include not only TigerRat, but also various other types such as NukeSped variants, Black RAT, and Lilith RAT, …
The Andariel group usually launches spear phishing, watering hole, or supply chain attacks for initial penetration. There is also a case where the group exploited a central management solution during the malware installation process. Recently, the Andariel group has been exploiting vulnerabilities in many programs such as Log4Shell and Innorix Agent to attack targets in various corporate sectors in South Korea. [1]
Another asset management program was used in the recently identified attack. Additionally, an attack targeting MS-SQL Server was also identified at the same time. Malware strains installed through these attacks include not only TigerRat, but also various other types such as NukeSped variants, Black RAT, and Lilith RAT, …
IoC
01ccce480c60fcdb67b54f4509ffdb56
0414a2ab718d44bf6f7103cff287b312
109.248.150.147
13b4ce1fc26d400d34ede460a8530d93
185.29.8.108
232586f8cfe82b80fd0dfa6ed8795c56
27.102.115.207
27.102.118.204
27.102.128.152
33a3da2de78418b89a603e28a1e8852c
3a0c8ae783116c1840740417c4fbe678
3d2ec58f37c8176e0dbcc47ff93e5a76
4053ca3e37ed1f8d37b29eed61c2e729
41895c5416fdc82f7e0babc6bb6c7216
4896da30a745079cd6265b6332886d45
49bb2ad67a8c5dfbfe8db2169e6fa46e
73eb2f4f101aab6158c615094f7a632a
7f33d2d2a2ce9c195202acb59de31eee
84.38.132.67
ad6d4eb34d29e350f96dc8df6d8a092e
beb199b15bd075996fa8d6a0ed554ca8
c1f266f7ec886278f030e7d7cd4e9131
c2f8c9bb7df688d0a7030a96314bb493
ca564428a29faf1a613f35d9fa36313f
dc70dc9845aa747001ebf2a02467c203
dd7b696b96434d2bf07b34f9c125d51d
e1afd01400ef405e46091e8ef10c721c
fe25c192875ec1914b8880ea3896cda2
http://109.248.150.147:443
http://109.248.150.147:8080
http://109.248.150.147:8443
http://109.248.150.147:8585/load.html
http://109.248.150.147:8585/load.png
http://109.248.150.147:8585/view.php
http://185.29.8.108:3443
http://185.29.8.108:443
http://185.29.8.108:4443
http://185.29.8.108:8080
http://185.29.8.108:8081
http://185.29.8.108:8443
http://185.29.8.108:8585/load.html
http://185.29.8.108:8585/view.php
http://27.102.115.207:8088
http://27.102.118.204:6099/fav.ico
http://27.102.118.204:8081
http://27.102.128.152:8098/load.png
http://84.38.132.67:8443
http://84.38.132.67:9479/fav.ico
http://84.38.132.67:9479/netpass.png
0414a2ab718d44bf6f7103cff287b312
109.248.150.147
13b4ce1fc26d400d34ede460a8530d93
185.29.8.108
232586f8cfe82b80fd0dfa6ed8795c56
27.102.115.207
27.102.118.204
27.102.128.152
33a3da2de78418b89a603e28a1e8852c
3a0c8ae783116c1840740417c4fbe678
3d2ec58f37c8176e0dbcc47ff93e5a76
4053ca3e37ed1f8d37b29eed61c2e729
41895c5416fdc82f7e0babc6bb6c7216
4896da30a745079cd6265b6332886d45
49bb2ad67a8c5dfbfe8db2169e6fa46e
73eb2f4f101aab6158c615094f7a632a
7f33d2d2a2ce9c195202acb59de31eee
84.38.132.67
ad6d4eb34d29e350f96dc8df6d8a092e
beb199b15bd075996fa8d6a0ed554ca8
c1f266f7ec886278f030e7d7cd4e9131
c2f8c9bb7df688d0a7030a96314bb493
ca564428a29faf1a613f35d9fa36313f
dc70dc9845aa747001ebf2a02467c203
dd7b696b96434d2bf07b34f9c125d51d
e1afd01400ef405e46091e8ef10c721c
fe25c192875ec1914b8880ea3896cda2
http://109.248.150.147:443
http://109.248.150.147:8080
http://109.248.150.147:8443
http://109.248.150.147:8585/load.html
http://109.248.150.147:8585/load.png
http://109.248.150.147:8585/view.php
http://185.29.8.108:3443
http://185.29.8.108:443
http://185.29.8.108:4443
http://185.29.8.108:8080
http://185.29.8.108:8081
http://185.29.8.108:8443
http://185.29.8.108:8585/load.html
http://185.29.8.108:8585/view.php
http://27.102.115.207:8088
http://27.102.118.204:6099/fav.ico
http://27.102.118.204:8081
http://27.102.128.152:8098/load.png
http://84.38.132.67:8443
http://84.38.132.67:9479/fav.ico
http://84.38.132.67:9479/netpass.png