The Andariel threat group has been discovered to be using MeshAgent when attacking Korean companies.
The group has previously attacked Korean Asset management solutions for installing malware, such as AndarLoader and ModeLoader.
However, MeshAgent is used alongside other remote management tools due to the diverse remote control features it offers. The Andariel group has been distributing its malware during the lateral movement phase.
According to reports shared with Cyber Security News, the threat group uses AndarLoader, ModeLoader, MeshAgent, Mimikatz, and other malware attacks, including Backdoors, just like the Kimsuky threat group.
In a previous report, the Andariel group utilized the Innorix agent (data transfer solution).
This malware is similar to a previously used Andardoor backdoor which was capable of executing commands from the C2 server.
However, AndarLoader is a downloader rather than a backdoor which downloads executables such as .NET assembly and runs it in memory.
As for the obfuscation, the AndarLoader uses the KoiVM tool instead of using the traditional Dotfuscator tool.
However, there are still several strings that are identical to the past AndarLoader. In addition, the present AndarLoader also uses sslClient string when connecting to the C2 server.
MeshAgent is capable of collecting basic essential information for remote management and offers several features such as power management, account management, chat or message pop-up, file upload, download, and command execution alongside remote desktop features such as RDP and VNC.
As a matter of fact, this is the first case of the Andariel group using the MeshAgent for their operations.
The MeshAgent has been found to be downloaded from an external source with the name “fav.ico.”
This is a javascript malware which is downloaded externally through the Mshta process and executed instead of being generated and executed.
The Mshta process is specifically targeted by these threat actors in order to download the ModeLoader.
The ModeLoader provides a simple feature of connecting with the C2 server regularly and receives Base64-encoded commands and executes them.
Additionally, it also sends feedback about the executed commands to the C2 server.
Once they take control of the affected system, the threat actors use Mimikatz to extract credentials from the compromised system.
To circumvent the latest security configuration of not storing plain passwords, the threat actors use the UseLogonCredential registry key to extract the credentials.
Furthermore, the traces of these malicious activities are erased by deleting security event logs of the infected systems using the command “wevtutil cl security.”
Moreover, a keylogger was also found, which was provided by the malware.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…
The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…
Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…
CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…
A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert and added two…