1. Home
  2. Groups
  3. Andariel

Andariel

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.[1][2][3][4][5]

Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.[6]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

ID: G0138
Associated Groups: Silent Chollima, PLUTONIUM, Onyx Sleet
Contributors: Kyoung-ju Kwak (S2W)
Version: 2.0
Created: 29 September 2021
Last Modified: 12 September 2024
Version Permalink

Associated Group Descriptions

Name Description
Silent Chollima

[5]
PLUTONIUM

[7]
Onyx Sleet

[7]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 Data from Local System

Andariel has collected large numbers of files from compromised network systems for later extraction.[1]
Enterprise T1189 Drive-by Compromise

Andariel has used watering hole attacks, often with zero-day exploits, to gain initial access to victims within a specific IP range.[3][4]
Enterprise T1203 Exploitation for Client Execution

Andariel has exploited numerous ActiveX vulnerabilities, including zero-days.[1][2][4]
Enterprise T1592 .002 Gather Victim Host Information: Software

Andariel has inserted a malicious script within compromised websites to collect potential victim information such as browser type, system language, Flash Player version, and other data.[4]
Enterprise T1590 .005 Gather Victim Network Information: IP Addresses

Andariel has limited its watering hole attacks to specific IP address ranges.[3]
Enterprise T1105 Ingress Tool Transfer

Andariel has downloaded additional tools and malware onto compromised hosts.[3]
Enterprise T1027 .003 Obfuscated Files or Information: Steganography

Andariel has hidden malicious executables within PNG files.[8][9]
Enterprise T1588 .001 Obtain Capabilities: Malware

Andariel has used a variety of publicly-available remote access Trojans (RATs) for its operations.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Andariel has conducted spearphishing campaigns that included malicious Word or Excel attachments.[3][8]
Enterprise T1057 Process Discovery

Andariel has used tasklist to enumerate processes and find a specific string.[9]
Enterprise T1049 System Network Connections Discovery

Andariel has used the netstat -naop tcp command to display TCP connections on a victim's machine.[9]
Enterprise T1204 .002 User Execution: Malicious File

Andariel has attempted to lure victims into enabling malicious macros within email attachments.[3]

Software

ID Name References Techniques
S0032 gh0st RAT [3] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL Side-Loading, Indicator Removal: Clear Windows Event Logs, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, System Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution
S0433 Rifdoor [3] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Encrypted Channel: Symmetric Cryptography, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Binary Padding, Phishing: Spearphishing Attachment, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, User Execution: Malicious File

References

  1. FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 12, 2024.
  2. IssueMakersLab. (2017, May 1). Operation GoldenAxe. Retrieved September 12, 2024.
  3. AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.
  4. Chen, Joseph. (2018, July 16). New Andariel Reconnaissance Tactics Uncovered. Retrieved September 29, 2021.
  5. CrowdStrike. (2021, September 29). Silent Chollima Adversary Profile. Retrieved September 29, 2021.
  1. US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.
  2. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  3. Jazi, H. (2021, April 19). Lazarus APT conceals malicious code within BMP image to drop its RAT . Retrieved September 29, 2021.
  4. Park, S. (2021, June 15). Andariel evolves to target South Korea with ransomware. Retrieved September 29, 2021.