Full Discloser of Andariel, A Subgroup of Lazarus Threat Group
Contents
2018. 06. 23
Full Discloser of Andariel,
A Subgroup of Lazarus Threat Group
220, Pangyoyeok-ro, Bundang-gu, Seongnam-si, Gyeonggi-do, South Korea
Tel: +82-31-722-8000 | Fax: +82-31-722-8901 | www.ahnlab.com | © AhnLab, Inc. All rights reserved.
Analysis Report_Andariel Threat Group
Table of Contents
Overview .......................................................................................................................................... 3
Attack Vectors (Infection Routes) ........................................................................................................ 3
1. Spear Phishing ........................................................................................................................... 4
2. Watering Hole (Active-X Vulnerability) .......................................................................................... 5
3. Central Management Solution ..................................................................................................... 6
4. Supply Chain Attack .................................................................................................................... 8
Attack Cases ..................................................................................................................................... 8
Malware and Attack Tools ................................................................................................................ 10
1. Malware – Backdoor ................................................................................................................. 10
1.1) Aryan................................................................................................................................ 10
1.2) Gh0st RAT ......................................................................................................................... 11
1.3) Rifdoor ............................................................................................................................. 11
1.4) Phandoor .......................................................................................................................... 12
1.5) Andaratm .......................................................................................................................... 13
2. Attack Tools ............................................................................................................................. 14
Similarities in Multiple Attack Cases .................................................................................................. 15
AhnLab’s Response .......................................................................................................................... 16
Conclusion ...................................................................................................................................... 17
Reference ....................................................................................................................................... 18
© AhnLab, Inc. All rights reserved.
2
Analysis Report_Andariel Threat Group
Overview
The Andariel group is a subgroup of the Lazarus group that has been active since 2015. Andariel has a connection
to the cyber-attack named Operation Black Mine that occurred in 2014 and 2015. However, Operation …
Full Discloser of Andariel,
A Subgroup of Lazarus Threat Group
220, Pangyoyeok-ro, Bundang-gu, Seongnam-si, Gyeonggi-do, South Korea
Tel: +82-31-722-8000 | Fax: +82-31-722-8901 | www.ahnlab.com | © AhnLab, Inc. All rights reserved.
Analysis Report_Andariel Threat Group
Table of Contents
Overview .......................................................................................................................................... 3
Attack Vectors (Infection Routes) ........................................................................................................ 3
1. Spear Phishing ........................................................................................................................... 4
2. Watering Hole (Active-X Vulnerability) .......................................................................................... 5
3. Central Management Solution ..................................................................................................... 6
4. Supply Chain Attack .................................................................................................................... 8
Attack Cases ..................................................................................................................................... 8
Malware and Attack Tools ................................................................................................................ 10
1. Malware – Backdoor ................................................................................................................. 10
1.1) Aryan................................................................................................................................ 10
1.2) Gh0st RAT ......................................................................................................................... 11
1.3) Rifdoor ............................................................................................................................. 11
1.4) Phandoor .......................................................................................................................... 12
1.5) Andaratm .......................................................................................................................... 13
2. Attack Tools ............................................................................................................................. 14
Similarities in Multiple Attack Cases .................................................................................................. 15
AhnLab’s Response .......................................................................................................................... 16
Conclusion ...................................................................................................................................... 17
Reference ....................................................................................................................................... 18
© AhnLab, Inc. All rights reserved.
2
Analysis Report_Andariel Threat Group
Overview
The Andariel group is a subgroup of the Lazarus group that has been active since 2015. Andariel has a connection
to the cyber-attack named Operation Black Mine that occurred in 2014 and 2015. However, Operation …