Full Report
The Andariel group has been attacking various software used by South Korean companies since the past [1]. Notably, these include asset management solutions and data loss prevention (DLP) solutions, and vulnerability attack cases have also been identified in various other solutions. Attack cases by the Andariel group are continuing in the second half of […]
Analysis Summary
# Threat Actor: Andariel
## Attribution & Identity
- **Identification:** The Andariel group.
- **Associations:** The report indicates ongoing activity in the latter half of 2024, leveraging tools previously associated with the group, such as SmallTiger.
## Activity Summary
The Andariel group is actively conducting attacks against South Korean companies, primarily focusing on exploiting vulnerabilities in various software solutions.
- **2024 H2 Activity:** Continued attacks primarily focused on installing the **SmallTiger** malware.
- **Targeted Exploitation:** Continual exploitation of Korean asset management solutions and indications of attacks targeting a Korean document management solution.
- **Initial Access Methods:** In some cases, exploitation of asset management solutions occurred after successfully compromising the control server. An additional observed method involved brute force and dictionary attacks against exposed update servers to replace legitimate update programs with malware.
## Tactics, Techniques & Procedures
- **Initial Access/Exploitation:** Exploiting vulnerabilities in asset management solutions; brute-forcing or dictionary attacking exposed update servers.
- **Malware Delivery:** Replacing legitimate update programs with malware (**SmallTiger**). Delivering **ModeLoader** via compromised asset management solutions. Deploying a web shell via PowerShell download in the document management solution attack.
- **Persistence/Lateral Movement:** Configuring systems for future Remote Desktop Protocol (RDP) access via commands executed through SmallTiger. Installing **CreateHiddenAccount** to add and conceal a backdoor account.
- **Data Collection:** Utilizing a custom keylogger that stores collected keystrokes in the file `MsMpLog.tmp` within the asset management solution's installation path.
- **Reconnaissance:** Executing standard reconnaissance commands (`ping`, `tasklist`, `ipconfig /all`, `netstat -noa`, `whoami`) post-initial access.
## Targeting
- **Sectors:** Unspecified industries utilizing Korean-specific enterprise solutions, including Asset Management Solutions and Document Management/Centralization Solutions.
- **Geography:** South Korea (Korean companies).
- **Victims:** Organizations using vulnerable Korean asset management solutions and document management solutions. Specific organizations are not named.
## Tools & Infrastructure
- **Malware Families Used:**
- SmallTiger (Main payload for current campaigns).
- ModeLoader (Installed in some asset management compromise cases).
- Custom Keylogger.
- **Infrastructure (C2, Domains, IPs):**
- C2/Download Server: `45[.]61[.]148[.]153` (Used to deliver `pizza.jsp` which resolves to `threadstate.jsp`).
- **Other Tools:** Advanced Port Scanner, CreateHiddenAccount (Open-source tool for creating hidden accounts).
## Implications
Andariel remains an active and persistent threat focused on high-value internal enterprise systems (asset and document management solutions) in South Korea. Their pivot to replacing software update utilities or directly embedding malware in application installation paths demonstrates a sophisticated understanding of enterprise security blind spots. Continued success in these campaigns allows Andariel to establish deep persistence via hidden RDP accounts and comprehensive data exfiltration via keylogging.
## Mitigations
- Immediately apply security patches for all centralized management solutions (Asset Management, Document Management).
- Strengthen monitoring around update servers for asset management solutions and investigate any anomalous replacement of update files.
- Implement strong access controls and monitor for brute force/dictionary attacks against update servers.
- Harden RDP access configurations and monitor for commands attempting to enable or modify RDP connections (e.g., registry modifications related to `fDenyTSConnections`).
- Enhance network monitoring for unusual file activity in application installation directories (e.g., looking for the `MsMpLog.tmp` file).
- Ensure OS, browsers, and security software (V3) are fully updated.