Monday, July 15, 2024
EHA

Andariel Hackers Leveraging Remote Tools To Exploit Organizations

The Andariel threat group has been discovered to be using MeshAgent when attacking Korean companies.

The group has previously attacked Korean Asset management solutions for installing malware, such as AndarLoader and ModeLoader. 

However, MeshAgent is used alongside other remote management tools due to the diverse remote control features it offers. The Andariel group has been distributing its malware during the lateral movement phase.

Mesh installation logs (Source: AhnLab)

According to reports shared with Cyber Security News, the threat group uses AndarLoader, ModeLoader, MeshAgent, Mimikatz, and other malware attacks, including Backdoors, just like the Kimsuky threat group.

In a previous report, the Andariel group utilized the Innorix agent (data transfer solution).

AndarLoader

This malware is similar to a previously used Andardoor backdoor which was capable of executing commands from the C2 server.

However, AndarLoader is a downloader rather than a backdoor which downloads executables such as .NET assembly and runs it in memory.

As for the obfuscation, the AndarLoader uses the KoiVM tool instead of using the traditional Dotfuscator tool.

However, there are still several strings that are identical to the past AndarLoader. In addition, the present AndarLoader also uses sslClient string when connecting to the C2 server.

MeshAgent

Mesh Control panel (Source: AhnLab)

MeshAgent is capable of collecting basic essential information for remote management and offers several features such as power management, account management, chat or message pop-up, file upload, download, and command execution alongside remote desktop features such as RDP and VNC.

As a matter of fact, this is the first case of the Andariel group using the MeshAgent for their operations.

The MeshAgent has been found to be downloaded from an external source with the name “fav.ico.”

ModeLoader

ModLoader malware (Source: AhnLab)

This is a javascript malware which is downloaded externally through the Mshta process and executed instead of being generated and executed.

The Mshta process is specifically targeted by these threat actors in order to download the ModeLoader. 

The ModeLoader provides a simple feature of connecting with the C2 server regularly and receives Base64-encoded commands and executes them.

Additionally, it also sends feedback about the executed commands to the C2 server.

Other Malware Attack cases

Once they take control of the affected system, the threat actors use Mimikatz to extract credentials from the compromised system.

To circumvent the latest security configuration of not storing plain passwords, the threat actors use the UseLogonCredential registry key to extract the credentials. 

Furthermore, the traces of these malicious activities are erased by deleting security event logs of the infected systems using the command “wevtutil cl security.”

Moreover, a keylogger was also found, which was provided by the malware.

Indicators Of Compromise

File Detection

  • Backdoor/JS.ModeLoader.SC197310 (2024.03.01.00)
  • Trojan/Win.Generic.C5384741 (2023.02.19.01)
  • Trojan/Win.KeyLogger.C5542383 (2023.11.16.01)
  • Trojan/Win32.RL_Mimikatz.R366782 (2021.02.18.01)

Behavior Detection

  • CredentialAceess/MDP.Mimikatz.M4367

MD5

  • a714b928bbc7cd480fed85e379966f95 : AndarLoader (%SystemDirectory%\SVPNClientW.exe)
  • 4f1b1124e34894398aa423200a8ab894 : KeyLogger (%USERPROFILE%\documents\kerberos.tmp, %USERPROFILE%\kl.exe, %SystemDirectory%\dllhostsvc.exe)
  • 2c69c4786ce663e58a3cc093c6d5b530 : ModeLoader
  • 29efd64dd3c7fe1e2b022b7ad73a1ba5 : Mimikatz (%USERPROFILE%\mimi.exe)

C&C URL

  • privacy.hopto[.]org:443 : AndarLoader
  • privatemake.bounceme[.]net:443 : AndarLoader
  • 84.38.129[.]21 : MeshAgent
  • hxxp://www.ipservice.kro[.]kr/index.php : ModeLoader
  • hxxp://www.ipservice.kro[.]kr/view.php : ModeLoader
  • hxxp://www.ipservice.kro[.]kr/modeRead.php : ModeLoader
  • hxxp://panda.ourhome.o-r[.]kr/view.php : ModeLoader
  • hxxp://panda.ourhome.o-r[.]kr/modeRead.php : ModeLoader
  • hxxp://panda.ourhome.o-r[.]kr/modeView.php : ModeLoader
  • hxxp://www.mssrv.kro[.]kr/view.php : ModeLoader
  • hxxp://www.mssrv.kro[.]kr/modeView.php : ModeLoader
  • hxxp://www.mssrv.kro[.]kr/modeRead.php : ModeLoader
  • hxxp://www.mssrv.kro[.]kr/modeWrite.php : ModeLoader

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Website

Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles