Categories: Cyber AttackCyber Security NewsMalware

Andariel Hackers Leveraging Remote Tools To Exploit Organizations

The Andariel threat group has been discovered to be using MeshAgent when attacking Korean companies.

The group has previously attacked Korean Asset management solutions for installing malware, such as AndarLoader and ModeLoader. 

However, MeshAgent is used alongside other remote management tools due to the diverse remote control features it offers. The Andariel group has been distributing its malware during the lateral movement phase.

Mesh installation logs (Source: AhnLab)

According to reports shared with Cyber Security News, the threat group uses AndarLoader, ModeLoader, MeshAgent, Mimikatz, and other malware attacks, including Backdoors, just like the Kimsuky threat group.

In a previous report, the Andariel group utilized the Innorix agent (data transfer solution).

AndarLoader

This malware is similar to a previously used Andardoor backdoor which was capable of executing commands from the C2 server.

However, AndarLoader is a downloader rather than a backdoor which downloads executables such as .NET assembly and runs it in memory.

As for the obfuscation, the AndarLoader uses the KoiVM tool instead of using the traditional Dotfuscator tool.

However, there are still several strings that are identical to the past AndarLoader. In addition, the present AndarLoader also uses sslClient string when connecting to the C2 server.

MeshAgent

Mesh Control panel (Source: AhnLab)

MeshAgent is capable of collecting basic essential information for remote management and offers several features such as power management, account management, chat or message pop-up, file upload, download, and command execution alongside remote desktop features such as RDP and VNC.

As a matter of fact, this is the first case of the Andariel group using the MeshAgent for their operations.

The MeshAgent has been found to be downloaded from an external source with the name “fav.ico.”

ModeLoader

ModLoader malware (Source: AhnLab)

This is a javascript malware which is downloaded externally through the Mshta process and executed instead of being generated and executed.

The Mshta process is specifically targeted by these threat actors in order to download the ModeLoader. 

The ModeLoader provides a simple feature of connecting with the C2 server regularly and receives Base64-encoded commands and executes them.

Additionally, it also sends feedback about the executed commands to the C2 server.

Other Malware Attack cases

Once they take control of the affected system, the threat actors use Mimikatz to extract credentials from the compromised system.

To circumvent the latest security configuration of not storing plain passwords, the threat actors use the UseLogonCredential registry key to extract the credentials. 

Furthermore, the traces of these malicious activities are erased by deleting security event logs of the infected systems using the command “wevtutil cl security.”

Moreover, a keylogger was also found, which was provided by the malware.

Indicators Of Compromise

File Detection

  • Backdoor/JS.ModeLoader.SC197310 (2024.03.01.00)
  • Trojan/Win.Generic.C5384741 (2023.02.19.01)
  • Trojan/Win.KeyLogger.C5542383 (2023.11.16.01)
  • Trojan/Win32.RL_Mimikatz.R366782 (2021.02.18.01)

Behavior Detection

  • CredentialAceess/MDP.Mimikatz.M4367

MD5

  • a714b928bbc7cd480fed85e379966f95 : AndarLoader (%SystemDirectory%\SVPNClientW.exe)
  • 4f1b1124e34894398aa423200a8ab894 : KeyLogger (%USERPROFILE%\documents\kerberos.tmp, %USERPROFILE%\kl.exe, %SystemDirectory%\dllhostsvc.exe)
  • 2c69c4786ce663e58a3cc093c6d5b530 : ModeLoader
  • 29efd64dd3c7fe1e2b022b7ad73a1ba5 : Mimikatz (%USERPROFILE%\mimi.exe)

C&C URL

  • privacy.hopto[.]org:443 : AndarLoader
  • privatemake.bounceme[.]net:443 : AndarLoader
  • 84.38.129[.]21 : MeshAgent
  • hxxp://www.ipservice.kro[.]kr/index.php : ModeLoader
  • hxxp://www.ipservice.kro[.]kr/view.php : ModeLoader
  • hxxp://www.ipservice.kro[.]kr/modeRead.php : ModeLoader
  • hxxp://panda.ourhome.o-r[.]kr/view.php : ModeLoader
  • hxxp://panda.ourhome.o-r[.]kr/modeRead.php : ModeLoader
  • hxxp://panda.ourhome.o-r[.]kr/modeView.php : ModeLoader
  • hxxp://www.mssrv.kro[.]kr/view.php : ModeLoader
  • hxxp://www.mssrv.kro[.]kr/modeView.php : ModeLoader
  • hxxp://www.mssrv.kro[.]kr/modeRead.php : ModeLoader
  • hxxp://www.mssrv.kro[.]kr/modeWrite.php : ModeLoader

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Leave a Comment
Share
Published by
Eswar
Tags: Asset Management Securitycyber securityMalware analysis
10 months ago

Recent Posts

BitMEX Fined $100 Million for Violating Bank Secrecy Act

In a significant legal development, HDR Global Trading Ltd., operating under the name BitMEX, has…

36 minutes ago

CISA Warns of Aviatrix Controllers OS Command Injection Vulnerability Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding a significant…

51 minutes ago

CISA Releases Guidelines For Closing Software Understanding Gap

The Cybersecurity and Infrastructure Security Agency (CISA) has released a pivotal report calling for urgent…

2 hours ago

Hackers Deploy Web Shell To Abuse IIS Worker And Exfiltrate Data

An attacker exploited a vulnerability in the batchupload.aspx and email_settings.aspx pages on the target server…

2 hours ago

Russian Threat Actor “Star Blizzard” Exploit WhatsApp Accounts Using QR Codes

Microsoft Threat Intelligence has identified a concerning strategic shift by the notorious Russian threat actor…

3 hours ago

Hackers Exploiting California Wildfire Sparks to Launching Phishing Attacks

As California grapples with devastating wildfires, communities are rallying to protect lives and property. Unfortunately,…

19 hours ago