Thursday, December 5, 2024
HomeCyber AttackAndariel Hackers Attacking Asset Management Companies to Inject Malicious Code

Andariel Hackers Attacking Asset Management Companies to Inject Malicious Code

Published on

SIEM as a Service

The Andariel threat group was observed conducting persistent attacks against domestic businesses, specifically installing MeshAgent for remote screen control while conducting the attack.

MeshAgent collects basic system information for remote management and performs activities such as power and account management, chat or message pop-ups, file upload/download, and command execution

It also has remote desktop support. In particular, the web supports remote desktop protocols like RDP and VNC.

- Advertisement - SIEM as a Service

“The attacker exploited domestic asset management solutions to install malicious code, most notably AndarLoader and ModeLoader”, AhnLab Security Intelligence Center (ASEC) shared with Cyber Security News.

Among the threat groups currently targeting Korea are the Andariel group, the Kimsuky group, and the Lazarus group. 

As part of the initial access, it has also been known to launch supply chain, spear phishing, or watering hole attacks.

The malware is spread by taking advantage of installed software or flaws in the attack process.

Several Malware Backdoors Employed 

AndarLoader is similar to Andardoor, discovered in an attack case that misused the Innorix Agent.

However, in contrast to Andardoor, the majority of the backdoor functions used by AndarLoader carry out the attacker’s commands via binary, executable data obtained from the C&C server, such as the .NET assembly.

“The AndarLoader confirmed this time is characterized by being obfuscated using KoiVM, unlike past types that were obfuscated with the Dotfuscator tool,” researchers said.

The attacker erased the compromised system’s security event log using AndarLoader and the command “wevtutil cl security.”

AndarLoader obfuscated with KoiVM
AndarLoader obfuscated with KoiVM

Additionally, MeshAgent gathers the fundamental system information needed for remote management.

The use of MeshAgent by the Andariel group was first verified, and it was downloaded externally under the name “fav.ico.”

MeshAgent installation log
MeshAgent installation log

ModeLoader is a JavaScript malware that the Andariel group has been using nonstop in the past.

It is downloaded and run externally via Mshta rather than being created as a file. 

“Attackers mainly exploit asset management solutions to execute the Mshta command that downloads ModeLoader”, researchers said.

ModeLoader executing commands received from the C&C server
ModeLoader executing commands received from the C&C server

Researchers say the attack campaign verified a feature:

in the majority of attack cases, keylogger malware was also detected.

The malware records data copied to the clipboard and keylogger and offers keylogging functionality.

Since its previous use of Innorix Agent, the Andariel group has been consistently abusing the asset management solutions of domestic businesses to disseminate malware during lateral movement.

Recommendation

Users must exercise extra caution when opening executable files from websites or attachments to emails from unknown senders.

Corporate security employees ought to strengthen asset management solution monitoring and apply fixes when there are program security flaws.

Also, take precautions to avoid being infected by this kind of malware beforehand by updating the most recent patches and V3 for operating systems and web browsers.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...