Man
Professional
- Messages
- 3,038
- Reaction score
- 561
- Points
- 113
Cunning cloaking techniques turn simple code into a puzzle for specialists.
A new keylogger associated with the North Korean Andariel group was recently identified during an analysis on the Hybrid Analysis platform. Also known as APT45, Silent Chollima or Onyx Sleet, the Andariel group is believed to be targeting American organizations. Experts have studied the capabilities of this malicious program, including its functions for registering keystrokes and mouse movements.
One of the features of the keylogger is the use of "garbage" code, which complicates the analysis. This code is specifically implemented to complicate the work of analysts and prevent rapid detection. The analysis showed that the keylogger sets global "hooks" at the Windows level to capture keyboard and mouse events.
In the process of operation, the keylogger registers information about the keys pressed and mouse actions, which is stored in a password-protected archive. The file is created in a temporary folder, and access to this data is protected by a password. Experts have found that the keylogger can also modify entries in the Windows registry, which helps it remain active even after rebooting the system.
It was also revealed that the keylogger intercepts and writes the contents of the clipboard using the appropriate system calls. This allows attackers to obtain data that the user has copied, such as passwords or other sensitive information.
In addition, the program registers timestamps of events, recording the date and time of each new action. This approach allows you to collect a more complete picture of user actions on the computer.
The Andariel group malware continues to evolve, demonstrating how advanced threats adapt to protection methods and analytics. The inclusion of garbage code and evasion techniques makes it difficult for security professionals to continually improve their cyber defense tools.
This keylogger is not just a means of collecting data, but also an example of a clever disguise that complicates countermeasures and emphasizes the importance of detecting such threats in a timely manner.
Source
A new keylogger associated with the North Korean Andariel group was recently identified during an analysis on the Hybrid Analysis platform. Also known as APT45, Silent Chollima or Onyx Sleet, the Andariel group is believed to be targeting American organizations. Experts have studied the capabilities of this malicious program, including its functions for registering keystrokes and mouse movements.
One of the features of the keylogger is the use of "garbage" code, which complicates the analysis. This code is specifically implemented to complicate the work of analysts and prevent rapid detection. The analysis showed that the keylogger sets global "hooks" at the Windows level to capture keyboard and mouse events.
In the process of operation, the keylogger registers information about the keys pressed and mouse actions, which is stored in a password-protected archive. The file is created in a temporary folder, and access to this data is protected by a password. Experts have found that the keylogger can also modify entries in the Windows registry, which helps it remain active even after rebooting the system.
It was also revealed that the keylogger intercepts and writes the contents of the clipboard using the appropriate system calls. This allows attackers to obtain data that the user has copied, such as passwords or other sensitive information.
In addition, the program registers timestamps of events, recording the date and time of each new action. This approach allows you to collect a more complete picture of user actions on the computer.
The Andariel group malware continues to evolve, demonstrating how advanced threats adapt to protection methods and analytics. The inclusion of garbage code and evasion techniques makes it difficult for security professionals to continually improve their cyber defense tools.
This keylogger is not just a means of collecting data, but also an example of a clever disguise that complicates countermeasures and emphasizes the importance of detecting such threats in a timely manner.
Source
