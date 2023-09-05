An ominous North Korean hacker group known as Andariel (allegedly a subgroup of Lazarus, a well-known hacker group from North Korea) has been observed employing an arsenal of malicious tools in its cyber attacks against companies and organizations in its southern counterpart (South Korea).

What is known about Andariel

“A feature of the attacks identified in 2023 is that there are numerous variants of malware developed in the Go language“, has declared the AhnLab Security Emergency Response Center (ASEC) in an in-depth analysis published last week.

Andariel, also known by the names Nicket Hyatt or Silent Chollima, is a subgroup of the Lazarus Group active, probably, since at least 2008.

Financial institutions, defense companies, government agencies, universities, cybersecurity vendors and energy companies are among the main targets of this group sent by the North Korean authorities to carry out espionage activities and illegally generate revenue for the village.

The series of attacks brought exploited a variety of initial infection vectors, such as lo spear phishingattacks water holeattacks on supply chainsall as a starting point for launching different loads of malicious files.

Some of the malware families employed by Andariel in its attacks include Gh0st RAT, DTrack, YamaBot, NukeSped, Rifdoor, Phandoor, Andarat, Andaratm, TigerRAT (and its successor MagicRAT), and EarlyRAT.

Another derivative of TigerRAT is Quite RATwhich was recently documented by Cisco Talos as being used by the Lazarus Group in intrusions that exploit security vulnerabilities in Zoho ManageEngine ServiceDesk Plus.

One of the attacks detected by ASEC in February 2023 appears to have involved exploiting security vulnerabilities in an enterprise file transfer solution called Innorix Agent to deploy backdoors such as Volgmer and Andardoor, as well as a Golang-based reverse shell known as 1th Troy.

“Being a reverse shell that only provides basic commands, supported commands include ‘cmd’, ‘exit’ and ‘self delete’,” the cybersecurity firm said. “They support executing commands, terminating processes, and self-deleting, respectively.”

Below is a brief description of some of the new malicious software used by Andariel:

BlackRAT (written in Go), which extends the functionality of 1th Troy to support downloading files and taking screenshots.

(written in Go), which extends the functionality of 1th Troy to support downloading files and taking screenshots. Goat Rat (written in Go), which supports basic file tasks and auto-delete functionality.

(written in Go), which supports basic file tasks and auto-delete functionality. GoLoader (written in .NET), a simplified version of Andardoor that acts as a downloader to retrieve and run executable data such as .NET assemblies from external sources.

(written in .NET), a simplified version of Andardoor that acts as a downloader to retrieve and run executable data such as .NET assemblies from external sources. Durian Beacon (written in Go and Rust), which can download/upload files and execute commands sent from a remote server.

Evidence collected so far indicates that Goat RAT is delivered after successful exploitation of Innorix Agent, while AndarLoader is installed via DurianBeacon.

“The Andariel group is one of the groups [più] highly active threats targeting Korea [del Sud]together with Kimsuky and Lazarus”, ASEC said, adding, “The group launched attacks to obtain national security information in the early days, but now it carries out attacks for financial purposes.”

This development comes as North Korean hackers have been implicated in a new round of campaigns seeking to infiltrate open-source repositories such as npm and PyPI with malicious packages and poison the malicious software’s supply chain.

When cyberthreats hit a nation’s authorities, citizens are automatically affected as well; therefore, although it is difficult for groups like Lazarus or Andraiel to affect our country, it is always good to have solid passwords, have good browsing habits and change your credentials (passwords, above all) if one of the sites you are registered with is hacked.