Analysis of Andariel’s New Attack Activities


The Andariel threat group which usually targets Korean corporations and organizations is known to be affiliated with the Lazarus threat group or one of its subsidiaries. Attacks against Korean targets have been identified since 2008. Major target industries are those related to national security such as national defense, political organizations, shipbuilding, energy, and communications. Various other companies and institutes in Korea including universities, logistics, and ICT companies are also becoming attack targets. [1] (this report only supports the Korean version)

During the initial compromise stage, the Andariel threat group usually employs spear phishing, watering hole, and supply chain attacks. Additionally, there are cases where the group abuses central management solutions during the malware installation process. [2] A notable fact about the group is its creation and use of various malware types in its attacks. There are many backdoor types, including Andarat, Andaratm, Phandoor, and Rifdoor used in the past attacks, as well as TigerRAT [3] and MagicRAT [4] which have been detected for the past few years.

Read more…