Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,494
- Points
- 113
The updated tools allowed hackers to switch from espionage to financial attacks.
North Korean hacker group Andariel (Nicket Hyatt, Silent Chollima) continues cyber attacks against corporations and organizations in South Korea. According to a study by the AhnLab Security Emergency Response Center (ASEC), hackers actively used malicious programs developed in the Golang (Go) programming language in 2023.
Andariel is a subgroup of the Lazarus Group. The group's main targets include financial institutions, defense contractors, government agencies, universities, information security companies, and energy companies. The attacks target both espionage and financing of the country's activities.
Hackers use a variety of initial infection techniques, including Spear - phishing, Watering Hole attacks, and attacks on software vendors. After successful penetration into the system, attackers deploy various types of malware.
The Andariel Group is known for using the DTrack malware and the Maui ransomware. Andariel first attracted attention in mid-2022. Using the Log4Shell vulnerability, Andariel delivered various malware families to target devices , including YamaBot and MagicRat, as well as updated versions of NukeSped and DTrack.
Cisco Talos recently documented the use of a new QuiteRAT Trojan that exploits vulnerabilities in Zoho ManageEngine ServiceDesk Plus. In addition, Andariel distributed the 1th Troy backdoor written in Golang. 1th Troy supports command execution, process termination, and self-deletion functions.
New developments
In addition, Andariel uses new malware:
ASEC said that Andariel is one of the most active threats targeting Korea, along with Kimsuky and Lazarus. According to experts, the group focused on obtaining information related to national security, but now it conducts attacks for financial purposes.
In June, Kaspersky Lab researchers discovered a previously undocumented malware family and identified operational errors made by the Andariel group. It is noteworthy that experts observed the execution of commands by a human operator and noted numerous errors and typos, suggesting that an inexperienced attacker was behind the operation.
North Korean hacker group Andariel (Nicket Hyatt, Silent Chollima) continues cyber attacks against corporations and organizations in South Korea. According to a study by the AhnLab Security Emergency Response Center (ASEC), hackers actively used malicious programs developed in the Golang (Go) programming language in 2023.
Andariel is a subgroup of the Lazarus Group. The group's main targets include financial institutions, defense contractors, government agencies, universities, information security companies, and energy companies. The attacks target both espionage and financing of the country's activities.
Hackers use a variety of initial infection techniques, including Spear - phishing, Watering Hole attacks, and attacks on software vendors. After successful penetration into the system, attackers deploy various types of malware.
The Andariel Group is known for using the DTrack malware and the Maui ransomware. Andariel first attracted attention in mid-2022. Using the Log4Shell vulnerability, Andariel delivered various malware families to target devices , including YamaBot and MagicRat, as well as updated versions of NukeSped and DTrack.
Cisco Talos recently documented the use of a new QuiteRAT Trojan that exploits vulnerabilities in Zoho ManageEngine ServiceDesk Plus. In addition, Andariel distributed the 1th Troy backdoor written in Golang. 1th Troy supports command execution, process termination, and self-deletion functions.
New developments
In addition, Andariel uses new malware:
- Black RAT (written in Go), which extends the functionality of 1th Troy for uploading files and creating screenshots;
- Goat RAT (written in Go), which supports basic file tasks and self-deletion functions;
- AndarLoader (written in .NET), a simplified version of Andardoor that acts as a loader for extracting and executing executable files from external sources;
- DurianBeacon (written in Go and Rust), which allows you to upload and send files, as well as execute commands from a remote server.
ASEC said that Andariel is one of the most active threats targeting Korea, along with Kimsuky and Lazarus. According to experts, the group focused on obtaining information related to national security, but now it conducts attacks for financial purposes.
In June, Kaspersky Lab researchers discovered a previously undocumented malware family and identified operational errors made by the Andariel group. It is noteworthy that experts observed the execution of commands by a human operator and noted numerous errors and typos, suggesting that an inexperienced attacker was behind the operation.
