Tuesday, May 6, 2025
HomeCyber AttackAndariel Hackers Leveraging Remote Tools To Exploit Organizations

Andariel Hackers Leveraging Remote Tools To Exploit Organizations

Published on

SIEM as a Service

Follow Us on Google News

The Andariel threat group has been discovered to be using MeshAgent when attacking Korean companies.

The group has previously attacked Korean Asset management solutions for installing malware, such as AndarLoader and ModeLoader. 

However, MeshAgent is used alongside other remote management tools due to the diverse remote control features it offers. The Andariel group has been distributing its malware during the lateral movement phase.

- Advertisement - Google News
Mesh installation logs (Source: AhnLab)

According to reports shared with Cyber Security News, the threat group uses AndarLoader, ModeLoader, MeshAgent, Mimikatz, and other malware attacks, including Backdoors, just like the Kimsuky threat group.

In a previous report, the Andariel group utilized the Innorix agent (data transfer solution).

AndarLoader

This malware is similar to a previously used Andardoor backdoor which was capable of executing commands from the C2 server.

However, AndarLoader is a downloader rather than a backdoor which downloads executables such as .NET assembly and runs it in memory.

As for the obfuscation, the AndarLoader uses the KoiVM tool instead of using the traditional Dotfuscator tool.

However, there are still several strings that are identical to the past AndarLoader. In addition, the present AndarLoader also uses sslClient string when connecting to the C2 server.

MeshAgent

Mesh Control panel (Source: AhnLab)

MeshAgent is capable of collecting basic essential information for remote management and offers several features such as power management, account management, chat or message pop-up, file upload, download, and command execution alongside remote desktop features such as RDP and VNC.

As a matter of fact, this is the first case of the Andariel group using the MeshAgent for their operations.

The MeshAgent has been found to be downloaded from an external source with the name “fav.ico.”

ModeLoader

ModLoader malware (Source: AhnLab)

This is a javascript malware which is downloaded externally through the Mshta process and executed instead of being generated and executed.

The Mshta process is specifically targeted by these threat actors in order to download the ModeLoader. 

The ModeLoader provides a simple feature of connecting with the C2 server regularly and receives Base64-encoded commands and executes them.

Additionally, it also sends feedback about the executed commands to the C2 server.

Other Malware Attack cases

Once they take control of the affected system, the threat actors use Mimikatz to extract credentials from the compromised system.

To circumvent the latest security configuration of not storing plain passwords, the threat actors use the UseLogonCredential registry key to extract the credentials. 

Furthermore, the traces of these malicious activities are erased by deleting security event logs of the infected systems using the command “wevtutil cl security.”

Moreover, a keylogger was also found, which was provided by the malware.

Indicators Of Compromise

File Detection

  • Backdoor/JS.ModeLoader.SC197310 (2024.03.01.00)
  • Trojan/Win.Generic.C5384741 (2023.02.19.01)
  • Trojan/Win.KeyLogger.C5542383 (2023.11.16.01)
  • Trojan/Win32.RL_Mimikatz.R366782 (2021.02.18.01)

Behavior Detection

  • CredentialAceess/MDP.Mimikatz.M4367

MD5

  • a714b928bbc7cd480fed85e379966f95 : AndarLoader (%SystemDirectory%\SVPNClientW.exe)
  • 4f1b1124e34894398aa423200a8ab894 : KeyLogger (%USERPROFILE%\documents\kerberos.tmp, %USERPROFILE%\kl.exe, %SystemDirectory%\dllhostsvc.exe)
  • 2c69c4786ce663e58a3cc093c6d5b530 : ModeLoader
  • 29efd64dd3c7fe1e2b022b7ad73a1ba5 : Mimikatz (%USERPROFILE%\mimi.exe)

C&C URL

  • privacy.hopto[.]org:443 : AndarLoader
  • privatemake.bounceme[.]net:443 : AndarLoader
  • 84.38.129[.]21 : MeshAgent
  • hxxp://www.ipservice.kro[.]kr/index.php : ModeLoader
  • hxxp://www.ipservice.kro[.]kr/view.php : ModeLoader
  • hxxp://www.ipservice.kro[.]kr/modeRead.php : ModeLoader
  • hxxp://panda.ourhome.o-r[.]kr/view.php : ModeLoader
  • hxxp://panda.ourhome.o-r[.]kr/modeRead.php : ModeLoader
  • hxxp://panda.ourhome.o-r[.]kr/modeView.php : ModeLoader
  • hxxp://www.mssrv.kro[.]kr/view.php : ModeLoader
  • hxxp://www.mssrv.kro[.]kr/modeView.php : ModeLoader
  • hxxp://www.mssrv.kro[.]kr/modeRead.php : ModeLoader
  • hxxp://www.mssrv.kro[.]kr/modeWrite.php : ModeLoader

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...