Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
Andariel evolves to target South Korea with ransomware
Andariel evolves to target South Korea with ransomware
harlan4096 Online
MalWare Zoo Team
*******
Posts: 13,651
Threads: 9,190
Thanks Received: 8,903 in 7,059 posts
Thanks Given: 9,584
Joined: 12 September 18
#1
Bug  17 June 21, 06:05
Quote:
[Image: abstract-digital-lock.jpg]

Executive summary

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. While we were doing our research into these findings, Malwarebytes published a nice report with technical details about the same series of attacks, which they attributed to the Lazarus group. After a deep analysis, we came to a more precise conclusion: the Andariel group was behind these attacks. Andariel was designated by the Korean Financial Security Institute as a sub-group of Lazarus.

Our attribution is based on the code overlaps between the second stage payload in this campaign and previous malware from the Andariel group. Apart from the code similarity, we found an additional connection with the Andariel group. Each threat actor has characteristics when they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity.

The threat actor has been spreading the third stage payload from the middle of 2020 onwards and leveraged malicious Word documents and files mimicking PDF documents as infection vectors. Notably, in addition to the final backdoor, we discovered one victim getting infected with custom ransomware. It adds another facet to this Andariel campaign, which also sought financial profit in a previous operation involving the compromise of ATMs.

For more information please contact: intelreports@kaspersky.com

Background

This research started off with us discovering a suspicious Word document on VirusTotal. It contains an unfamiliar macro and uses novel techniques to implant the next payload. We discovered two infection methods used in these attacks in our telemetry, where each payload has its own loader for execution in memory. The threat actor only delivered the final stage payload for selected victims.

Initial infection or spreading

As pointed out in Malwarebytes’s public report, the actor sent weaponized documents to the victim as an initial infection vector. The documents use sophisticated infection methods to try to impede detection.
...
Continue Reading
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
UltraSearch 4.6.0.1091
UltraSearch 4.6.0....harlan4096 — 10:38
Brave 1.73.91
Release Channel 1....harlan4096 — 10:11
AdGuard Browser Extension 5.0.169 (MV3)
AdGuard Browser Ex...harlan4096 — 10:10
uBOLite_2024.11.20.858
uBOLite_2024.11.20...harlan4096 — 10:09
CrystalDiskInfo 9.5.0 [2024/11/20]
9.5.0 ​ Added D...harlan4096 — 10:08

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
avatar (56)Stefanos

[-]
Online Staff
There are no staff members currently online.

>