Andariel Threat Actor Intelligence Profile

Tracking started: a year ago, last updated: Fri Mar 22 2024, uuid: 54b43ad2-03a9-4966-ac67-cf57d4b9d6ab

Andariel Description

Generated from Cybergeist context a month ago. This description is learned via the associations below
Andariel, a threat actor and subgroup of the notorious Lazarus Group, has been identified as a significant cybersecurity risk. Known for its use of DTrack malware and Maui ransomware, Andariel's activities escalated in mid-2022. This North Korean entity has also expanded its Tactics, Techniques, and Procedures (TTPs) with the discovery of a previously undocumented malware family. Notably, Andariel has been seen exploiting software vulnerabilities alongside other nation-state threat actors such as Russia's APT29 and ransomware gangs, emphasizing the need for prompt patching of software flaws. The group's malicious activities have not gone unnoticed by authorities. South Korea imposed sanctions on eight North Korean individuals, including Ri Chang-ho, believed to be behind major cyberattacks conducted by groups like Kimsuky, Lazarus, and Andariel. The group has also been linked to several Advanced Persistent Threats (APTs) backed by North Korea, further highlighting the global concern over its activities. In October 2023, Microsoft's Threat Intelligence Center pointed out that Andariel, along with other North Korean-backed APTs, was exploiting the TeamCity vulnerability (CVE-2023-42793) to install persistent backdoors. This exploit overlaps with previous disclosures linking the activity to Andariel, reinforcing the group's reputation as a persistent and sophisticated threat. Furthermore, various threat groups, including Andariel, were found exploiting CVE-2023-46604 to deploy backdoors and malware such as NukeSped and TigerRat, demonstrating the group's ongoing commitment to developing and utilizing advanced cyberattack methods.
Andariel STIX 2.1 Package Preview
STIX package updated a month ago
aliasaliasaliasaliasaliasaliasaliasaliasaliasaliasaliasrelated-torelated-torelated-torelated-torelated-torelated-toCERT-EUDARKReadingCybergeistcollectionratnineratearlyratreconnaissance general bureau rgbcve-2023-42793Log4ShellGlobal TeamCity Exploitation Opens Door to SolarWinds-Style NightmareCyber Security Week In Review: December 29, 2023Critical JetBrains TeamCity flaws come under active attacksApache ActiveMQ Vulnerability: The Threat That Cannot Be IgnoredJetBrain urges to fix critical TeamCity On-Premises vulnerabilitiesAndarielreconnaissance general bureauZINCplutoniumAPT38onyx sleetrgbSilent ChollimaLazarusLazarus GroupBluenoroffstonefly

Andariel Association List

The following associations have been automatically determined. Expand the row to see evidence. Votes are automatically added when the same assertion is recorded from different sourced, or updated by human users.
Associated Object
Votes/Source
Classification
Association Type
Ransomware
5
Threat Classunspecified
Malware
5
Threat Classunspecified
Apt
5
Threat Classunspecified
Lazarus Group
5
Threat Actoralias
CVE-2023-42793
4
Vulnerabilityunspecified
Onyx Sleet
4
Threat Actoralias
Exploit
4
Threat Classunspecified
Cybercrime
4
Threat Classunspecified
Reconnaissance
4
Tacticunspecified
Log4j
3
Softwareunspecified
Relevance to PIRs (disabled)
Priority Intel Requirements
Information about why this intelligence profile is relevant to your requirements would be displayed here. Create an account to get started.
Context provided by 8 Sources
CSO Online
CSO serves enterprise security decision-makers and users with the critical information they need to stay ahead of evolving threats and defend against criminal cyberattacks. With incisive content that addresses all security disciplines from risk management to network defense to fraud and data loss prevention, CSO offers unparalleled depth and insight to support key decisions and investments for IT security professionals.
Securityaffairs
Checkpoint
Checkpoint Research
CERT-EU
BankInfoSecurity
BankInfoSecurity is a multi-media website published by Information Security Media Group, Corp. (ISMG)
MITRE
MITRE began in 1958, sponsored by the U.S. Air Force to bridge across the academic research community and industry to architect the Semi-Automatic Ground Environment, or SAGE, a key component of Cold War-era air defense.
Malwarebytes
DARKReading
Comments (disabled)
Log in to view comments

Recent statements about Andariel

Recent statements allow a quick snapshot for understanding how this object is evolving. Click the row to see the full report context
Source
Statement Text
The attacks, which entail the exploitation of CVE-2023-42793 https://thehackernews.com/2023/10/cisa-warns-of-active-exploitation-of.html (CVSS score: 9.8), have been attributed https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-k...(read more)
The researchers at Kaspersky are credited for identifying the new malware and attribute the EarlyRat trojan to the advanced persistent threat (APT) group Andariel (also known as Stonefly https://www.scmagazine.com/brief/ransomware/maui-ransomware-att...(read more)
Seoul police have accused the North Korean hacker group Andariel of stealing sensitive defense secrets from South Korean defense companies and laundering ransomware proceeds back to North Korea.
Police said they had seized the domestic servers and virtual asset exchanges used by Andariel to launch attacks and launder money and arrested the person who owned the account used to transfer the ransomware funds.
We discovered a previously undocumented malware family and an addition to Andariel’s set of TTPs.
Additionally, Andariel has been involved in ransomware attacks against healthcare organizations in certain instances.
Two RATs, One Downloader In the latest Andariel campaign, two of the DLang malware families being used are RATS, one of which Talos is calling NineRAT and is using Telegram bots and channels to communicate with command-and-control (C2) system.
Another prominent hacking crew is APT37 (aka ScarCruft), which is part of the Ministry of State Security, unlike other threat activity clusters – i.e., APT43 (aka Kimsuky) and Lazarus Group (and its sub-groups Andariel and BlueNoroff) – that are affi...(read more)
Police said Andariel has established at least 83 connections to a South Korea-based rented server to target organizations and used a foreign woman's account to launder bitcoins obtained from ransomware victims.
IssueMakersLab also listed the ActiveX objects https://twitter.com/issuemakerslab/status/1001379628362039296 that the Andariel group attacked.
Other notorious groups on the list included Lazarus Group – the group blamed for 2017’s WannaCry attack, Andariel, and Bluenoroff.
2023-06-30 06:06 North Korea-linked cyberespionage group Andariel used a previously undocumented malware called EarlyRat.
Threat Intelligence https://www.scmagazine.com/topic/threat-intelligence December 8, 2023 Defense industry organizations in South Korea had data concerning anti-aircraft weapon systems exfiltrated by North Korean state-sponsored threat operation Anda...(read more)
Stopping these Lazarus-aligned groups is a top priority for the U.S. federal government, which in July 2022 offered https://www.bankinfosecurity.com/feds-double-reward-for-tips-on-north-korean-backed-actors-a-19647 a $10 million reward for informatio...(read more)
Our colleagues from the IssueMakersLab http://www.issuemakerslab.com/ team shared insights and information about the Andariel group, including that they attacked ActiveX vulnerabilities as far back as 2007.
The three groups mentioned in the report were the Lazarus Group https://www.techtimes.com/tags/lazarus-group Kimsuky, and Andariel.
During the same period, Andariel also actively exploited the Log4j vulnerability as reported by Talos and Ahnlab.
We believe that the injected script came from the Andariel group since the code has similar obfuscation and structure to the sample we previously found from them.
Kaspersky observed Andariel first infecting machines through a Log4j flaw exploitation, then the threat actors downloaded further malware from the C2 server.
These new developments from the Andariel group give us an idea of their plans, although we cannot make specific assumptions about their strategy.
Documents discussing Andariel
Relevance score is determined via Machine Learning, to identify what documents could be most valuable to read
Logo
Created At
Title (Open original source)
a year ago
New Andariel Reconnaissance Tactics Uncovered
a year ago
Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups
4 months ago
Lazarus Group Exploits Log4j Flaw in New Malware Campaign
10 months ago
Log4j bug exploited to push novel EarlyRat malware
10 months ago
Andariel APT Hackers Drop a New Malware On Windows Via Weaponized MS Word Doc
4 months ago
North Korean Hackers Steal South Korean Anti-Aircraft Data
10 months ago
North Korean Andariel APT used a new malware named EarlyRat
6 months ago
North Korean hackers exploit critical TeamCity flaw to breach networks
10 months ago
Kaspersky crimeware report: Andariel’s mistakes and EasyRat malware
10 months ago
Andariel’s Mistakes Uncover New Malware in Lazarus Group Campaign
10 months ago
New Malware by Lazarus-Backed Andariel Group Exploits Log4j
4 months ago
Operation Blacksmith: Lazarus exploits Log4j flaws to deploy DLang malware
8 months ago
IT threat evolution Q2 2023
10 months ago
Andariel’s silly mistakes and a new malware family – GIXtools
4 months ago
Lazarus Group Is Still Juicing Log4Shell, Using RATs Written in 'D'
8 months ago
IT threat evolution in Q2 2023 – GIXtools
9 months ago
New Malware Alert: EarlyRAT Linked to North Korean Hacking Group
4 months ago
Lazarus Group continues to exploit Log4j flaw in latest campaign
10 months ago
North Korean Hacker Group Andariel Strikes with New EarlyRat Malware
10 months ago
North Korea-linked Andariel APT used a new malware named EarlyRat last year | IT Security News
Associated Indicators (10)
Log in / sign up to view IoCs