Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
|Enterprise||T1005||Data from Local System|
|Enterprise||T1203||Exploitation for Client Execution|
|Enterprise||T1592||.002||Gather Victim Host Information: Software|
|Enterprise||T1590||.005||Gather Victim Network Information: IP Addresses|
|Enterprise||T1105||Ingress Tool Transfer|
|Enterprise||T1027||.003||Obfuscated Files or Information: Steganography|
|Enterprise||T1588||.001||Obtain Capabilities: Malware|
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment|
|Enterprise||T1049||System Network Connections Discovery|
|Enterprise||T1204||.002||User Execution: Malicious File|
|S0032||gh0st RAT||||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: Clear Windows Event Logs, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution|
|S0433||Rifdoor||||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Encrypted Channel: Symmetric Cryptography, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information, Phishing: Spearphishing Attachment, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, User Execution: Malicious File|