Analysis Summary

A North Korean state-sponsored threat actor named Andariel attacked three separate American organizations in August 2024 as part of an operation that was probably carried out for financial gain.

The researchers said, “While the attackers didn't succeed in deploying ransomware on the networks of any of the organizations affected, it is likely that the attacks were financially motivated.”

Andariel is a threat actor who is thought to be a part of the notorious Lazarus Group's sub-cluster. Additionally, it is tracked as Operation Troy, DarkSeoul, Nickel Hyatt, Onyx Sleet (previously Plutonium), Stonefly, APT45, and Silent Chollima. It started operating in 2009 at the latest. The threat group, part of North Korea's Reconnaissance General Bureau (RGB), has a history of using ransomware strains like Maui and SHATTEREDGLASS. They have also created a variety of unique backdoors, including Dtrack (also known as Valefor and Preft), TigerRAT, Black RAT (also known as ValidAlpha), Dora RAT, and LightHand.

A data wiper code-named Jokra and an advanced implant called Prioxer, which enables data and command exchange with a command-and-control (C2) server, are two of the threat actor's other lesser-known tools. The U.S. Department of Justice (DoJ) indicted a North Korean military intelligence agent who was a member of the Andariel group in July 2024. The accusation was that the agent had conducted ransomware attacks against healthcare facilities in the nation and had used the illicitly obtained funds to carry out further hacks into government, defense, and technology organizations worldwide.

Dtrack and another backdoor called Nukebot—which can run commands, download and upload files, and take screenshots—are characteristics of the most recent wave of attacks. Though Stonefly hasn't been connected to Nukebot before, Stonefly most likely acquired the tool from the leaked source code. Although it's unclear exactly how the initial access was prevented, Andariel has a history of breaking into target networks by taking advantage of known N-day vulnerabilities in internet-facing applications.

Other open-source or publicly available programs utilized in the intrusions include PuTTY, Plink, Sliver, Chisel, Mimikatz, Snap2HTML, and FastReverseProxy (FRP). Additionally, the attackers have been seen signing some of the tools with a bogus certificate that purports to be from Tableau software—a strategy that Microsoft has already revealed.

Cybersecurity researchers said that while Andariel's focus has shifted to espionage operations since 2019, this change to financially motivated attacks is a relatively recent development that has persisted despite U.S. government actions. The group will likely keep trying to carry out extortion attacks against American organizations.

Impact

• Data Exfiltration
• Command Execution
• Financial Loss
• Cyber Espionage

Indicators of Compromise

SHA1

• 540853beffb0ba9b26cf305bcf92fad82599eb3c
• 779d453a60404f03c3aab508be972f609b6fa879
• f3e233809ac4b7bc5aa31cd760a573794d614b5d
• 02a42545bb5c4ab40d8d4a9da8c973823d882046
• 8185f2b99c892c663053fd4523b7257395f42ba7
• 49ac28641a0448d4179eb870c1af4327a1799650
• ec456ce1a73253234d9395bd8970b8bb8ff70151
• 486e6d7166fdc2ec0b0e0f922931b1f92d665739
• c03a40aec37d9c4d505fc27edfcba5dcbf9495af

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.