Andariel Hackers Leveraging Remote Tools To Exploit Organizations

The Andariel threat group has been discovered to be using MeshAgent when attacking Korean companies.

The group has previously attacked Korean Asset management solutions for installing malware, such as AndarLoader and ModeLoader. 

However, MeshAgent is used alongside other remote management tools due to the diverse remote control features it offers. The Andariel group has been distributing its malware during the lateral movement phase.

According to reports shared with Cyber Security News, the threat group uses AndarLoader, ModeLoader, MeshAgent, Mimikatz, and other malware attacks, including Backdoors, just like the Kimsuky threat group.

In a previous report, the Andariel group utilized the Innorix agent (data transfer solution).

AndarLoader

This malware is similar to a previously used Andardoor backdoor which was capable of executing commands from the C2 server.

However, AndarLoader is a downloader rather than a backdoor which downloads executables such as .NET assembly and runs it in memory.

As for the obfuscation, the AndarLoader uses the KoiVM tool instead of using the traditional Dotfuscator tool.

However, there are still several strings that are identical to the past AndarLoader. In addition, the present AndarLoader also uses sslClient string when connecting to the C2 server.

MeshAgent

MeshAgent is capable of collecting basic essential information for remote management and offers several features such as power management, account management, chat or message pop-up, file upload, download, and command execution alongside remote desktop features such as RDP and VNC.

As a matter of fact, this is the first case of the Andariel group using the MeshAgent for their operations.

The MeshAgent has been found to be downloaded from an external source with the name “fav.ico.”

ModeLoader

This is a javascript malware which is downloaded externally through the Mshta process and executed instead of being generated and executed.

The Mshta process is specifically targeted by these threat actors in order to download the ModeLoader. 

The ModeLoader provides a simple feature of connecting with the C2 server regularly and receives Base64-encoded commands and executes them.

Additionally, it also sends feedback about the executed commands to the C2 server.

Other Malware Attack cases

Once they take control of the affected system, the threat actors use Mimikatz to extract credentials from the compromised system.

To circumvent the latest security configuration of not storing plain passwords, the threat actors use the UseLogonCredential registry key to extract the credentials. 

Furthermore, the traces of these malicious activities are erased by deleting security event logs of the infected systems using the command “wevtutil cl security.”

Moreover, a keylogger was also found, which was provided by the malware.

Indicators Of Compromise

File Detection

• Backdoor/JS.ModeLoader.SC197310 (2024.03.01.00)
• Trojan/Win.Generic.C5384741 (2023.02.19.01)
• Trojan/Win.KeyLogger.C5542383 (2023.11.16.01)
• Trojan/Win32.RL_Mimikatz.R366782 (2021.02.18.01)

Behavior Detection

• CredentialAceess/MDP.Mimikatz.M4367

MD5

• a714b928bbc7cd480fed85e379966f95 : AndarLoader (%SystemDirectory%\SVPNClientW.exe)
• 4f1b1124e34894398aa423200a8ab894 : KeyLogger (%USERPROFILE%\documents\kerberos.tmp, %USERPROFILE%\kl.exe, %SystemDirectory%\dllhostsvc.exe)
• 2c69c4786ce663e58a3cc093c6d5b530 : ModeLoader
• 29efd64dd3c7fe1e2b022b7ad73a1ba5 : Mimikatz (%USERPROFILE%\mimi.exe)

C&C URL

• privacy.hopto[.]org:443 : AndarLoader
• privatemake.bounceme[.]net:443 : AndarLoader
• 84.38.129[.]21 : MeshAgent
• hxxp://www.ipservice.kro[.]kr/index.php : ModeLoader
• hxxp://www.ipservice.kro[.]kr/view.php : ModeLoader
• hxxp://www.ipservice.kro[.]kr/modeRead.php : ModeLoader
• hxxp://panda.ourhome.o-r[.]kr/view.php : ModeLoader
• hxxp://panda.ourhome.o-r[.]kr/modeRead.php : ModeLoader
• hxxp://panda.ourhome.o-r[.]kr/modeView.php : ModeLoader
• hxxp://www.mssrv.kro[.]kr/view.php : ModeLoader
• hxxp://www.mssrv.kro[.]kr/modeView.php : ModeLoader
• hxxp://www.mssrv.kro[.]kr/modeRead.php : ModeLoader
• hxxp://www.mssrv.kro[.]kr/modeWrite.php : ModeLoader

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.