In an online world, the menacing specter of cyber miscreants from North Korea, known as Andariel, has emerged once more on the data battlegrounds. Stealthily executing digital assaults against multinational corporations and organizations—chiefly those situated across the southern terrain—these skilled manipulators are adept at blending into the virtual shadows.
The Andariel faction, also referred to as Nicket Hyatt or Silent Chollima, is a sect of the more promiscuous Lazarus Group and has been active since 2008 at least. This cyber syndicate’s selection of victims covers a broad spectrum, placing an elite class of targets in their crosshairs: financial entities, defense contractors, government bodies, high-tech universities, cybersecurity firms, and energy powerhouses. These deliberate strikes back humanitarian pursuits, pressing on espionage missions and unduly amassing revenue for the nation-state.
Let’s Goooooo
All this is in addition to the FBI’s recent alerts that North Korea is attempting to unload stolen crryptocurrency. To uncover Andariel – the secret sinew of Lazarus Group – analysts at the AhnLab Security Emergency Response Center (ASEC) dove into the abyss of cyber threats. “One distinct feature we identified in their 2023 attacks was the abundant use of malware strains developed in the Go language,” they unearthed in their comprehensive expose last week.
Access to these prestigious targets is carried out through a medley of initial infection strategies. Spear-phishing exploits, watering holes, and supply-chain breaches represent just some of the tools employed by this adversary, serving as stepping stones to deliver a variety of malicious payloads.
So Many RATs
Among the vast catalogue of malware tapped by Andariel are notorious digital weapons such as Gh0st RAT, DTrack, YamaBot, NukeSped, Rifdoor, Phandoor, Andarat, Andaratm, TigerRAT and its sequel MagicRAT, and EarlyRAT, each equipped with its own unique devastation potential. One standout variant of TigerRAT, QuiteRAT, was recently flagged by Cisco Talos for its exploitation by Lazarus Group in intrusions compromising the security framework of Zoho ManageEngine ServiceDesk Plus.
February 2023 witnessed one such incursion, where the white knights from ASEC traced Andariel’s exploitation of security weaknesses in Innorix Agent, an enterprise file transfer solution. This provided a convenient route to peddle backdoors such as Volgmer and Andardoor, along with a Golang-based reverse shell given the alias 1th Troy.
Layers Upon Layers
Building on the basic commands of 1TH Troy, Andariel devised the Black RAT to amplify their foothold. Encoded in the Go language, it was engineered to extend support for file downloads and screenshot captures. Moreover, Goat RAT, another of this Go-based family, added to the group’s defenses with self-deletion capabilities after completing basic file assignments. Further collaborators to these corrupted ranks include AndarLoader, a scaled-down version of Andardoor, programmed in .NET to download and implement executables like .NET assemblies from distant sources, and DurianBeacon, skilled in downloading/uploading files and executing remote commands.
Analysts found that after successful infiltration via the compromised Innorix Agent, Goat RAT is initiated, followed by the AndarLoader’s deployment via DurianBeacon.
ASEC projects Andariel, alongside Kimsuky and Lazarus, as a predominant threat, migrating from their early focus on national security to an increasing interest in generating financial profit. This occurs amid recirculating claims of North Korean involvement in infiltrating open-source repositories such as npm and PyPI, tainting the software supply chain with deadly packages.
