The North Korean threat actor known as Andariel has been observed employing an arsenal of malicious tools in its cyber assaults against corporations and organizations in the southern counterpart.
“One characteristic of the attacks identified in 2023 is that there are numerous malware strains developed in the Go language,” the AhnLab Security Emergency Response Center (ASEC) said in a deep dive released last week.
Andariel, also known by the names Nicket Hyatt or Silent Chollima, is a sub-cluster of the Lazarus Group that’s known to be active since at least 2008.
Financial institutions, defense contractors, government agencies, universities, cybersecurity vendors, and energy companies are among the top targets for the state-sponsored group to fund espionage activities and illegally generate revenue for the country.
Attack chains mounted by the adversary have leveraged a variety of initial infection vectors, such as spear-phishing, watering holes, and supply chain attacks, as a beachhead to launch different payloads.
Some of the malware families employed by Andariel in its attacks include Gh0st RAT, DTrack, YamaBot, NukeSped, Rifdoor, Phandoor, Andarat, Andaratm, TigerRAT (and its successor MagicRAT), and EarlyRAT.
Another derivative of TigerRAT is QuiteRAT, which was recently documented by Cisco Talos as used by the Lazarus Group in intrusions exploiting security flaws in Zoho ManageEngine ServiceDesk Plus.
One of the attacks detected by ASEC in February 2023 is said to have involved the exploitation of security flaws in an enterprise file transfer solution called Innorix Agent to distribute backdoors such as Volgmer and Andardoor, as well as a Golang-based reverse shell known as 1th Troy.
“Being a reverse shell that only provides basic commands, the commands supported include ‘cmd,’ ‘exit,’ and ‘self delete,'” the cybersecurity company said. “They support the command execution, process termination, and self-deletion features, respectively.”
A brief description of some of the other new malicious software put to use by Andariel is listed below –
- Black RAT (written in Go), which extends the features of 1th Troy to support file downloads and screenshot captures
- Goat RAT (written in Go), which supports basic file tasks and self-deletion features
- AndarLoader (written in .NET), a stripped-down version of Andardoor which acts as a downloader to fetch and execute executable data such as .NET assemblies from external sources, and
- DurianBeacon (written in Go and Rust), which can download/upload files and run commands sent from a remote server
Evidence gathered so far shows that Goat RAT is delivered following the successful exploitation of Innorix Agent, while AndarLoader is installed through DurianBeacon.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats
“The Andariel group is one of the highly active threat groups targeting Korea along with Kimsuky and Lazarus,” ASEC said. “The group launched attacks to gain information related to national security in the early days but now carries out attacks for financial gains.”
The development comes as North Korean actors have been implicated in a new set of campaigns that seek to infiltrate open-source repositories such as npm and PyPI with malevolent packages and poison the software supply chain.