Andariel Group Targets South Korean Entities in New Campaign
Andariel, designated as a sub-group of the Lazarus Group APT, has historically targeted South Korean organzations.
Andariel, a subdivision of the Lazarus Group APT associated with North Korea, is behind a recent attack campaign that uses malicious Word documents and files that mimic PDFs, Kaspersky researchers report.
This group has previously targeted South Korean businesses and government agencies; in this attack, its victims also appear to be South Korean entities.
Researchers say they observed a suspicious Word document with a Korean file name and decoy with an unusual infection scheme and an unfamiliar payload. Further analysis revealed a connection to Andariel; researchers noticed code overlaps between the second stage payload in this campaign and previous malware from the Andariel group. There were other characteristics connecting this malware to Andariel, researchers report.
"Each threat actor has characteristics when they interactively work with a backdoor shell in the post-exploitation phase," they wrote in a report on the findings. "The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity."
Kaspersky says Andariel has been spreading the third stage payload using malicious Word documents since the middle of 2020.
Details on the attack campaign can be found here.
About the Author(s)
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024