Andariel

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.[1][2][3][4][5]

Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.[6]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

ID: G0138
Associated Groups: Silent Chollima, PLUTONIUM, Onyx Sleet
Contributors: Kyoung-ju Kwak (S2W)
Version: 2.0
Created: 29 September 2021
Last Modified: 08 January 2024

Associated Group Descriptions

Name Description
Silent Chollima

[5]

PLUTONIUM

[7]

Onyx Sleet

[7]

Techniques Used

Domain ID Name Use
Enterprise T1005 Data from Local System

Andariel has collected large numbers of files from compromised network systems for later extraction.[1]

Enterprise T1189 Drive-by Compromise

Andariel has used watering hole attacks, often with zero-day exploits, to gain initial access to victims within a specific IP range.[3][4]

Enterprise T1203 Exploitation for Client Execution

Andariel has exploited numerous ActiveX vulnerabilities, including zero-days.[1][2][4]

Enterprise T1592 .002 Gather Victim Host Information: Software

Andariel has inserted a malicious script within compromised websites to collect potential victim information such as browser type, system language, Flash Player version, and other data.[4]

Enterprise T1590 .005 Gather Victim Network Information: IP Addresses

Andariel has limited its watering hole attacks to specific IP address ranges.[3]

Enterprise T1105 Ingress Tool Transfer

Andariel has downloaded additional tools and malware onto compromised hosts.[3]

Enterprise T1027 .003 Obfuscated Files or Information: Steganography

Andariel has hidden malicious executables within PNG files.[8][9]

Enterprise T1588 .001 Obtain Capabilities: Malware

Andariel has used a variety of publicly-available remote access Trojans (RATs) for its operations.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Andariel has conducted spearphishing campaigns that included malicious Word or Excel attachments.[3][8]

Enterprise T1057 Process Discovery

Andariel has used tasklist to enumerate processes and find a specific string.[9]

Enterprise T1049 System Network Connections Discovery

Andariel has used the netstat -naop tcp command to display TCP connections on a victim's machine.[9]

Enterprise T1204 .002 User Execution: Malicious File

Andariel has attempted to lure victims into enabling malicious macros within email attachments.[3]

Software

References