From gbhackers.com
%20(1).webp)
The Andariel threat group was observed conducting persistent attacks against domestic businesses, specifically installing MeshAgent for remote screen control while conducting the attack.
MeshAgent collects basic system information for remote management and performs activities such as power and account management, chat or message pop-ups, file upload/download, and command execution.
It also has remote desktop support. In particular, the web supports remote desktop protocols like RDP and VNC.
“The attacker exploited domestic asset management solutions to install malicious code, most notably AndarLoader and ModeLoader”, AhnLab Security Intelligence Center (ASEC) shared with Cyber Security News.
Among the threat groups currently targeting Korea are the Andariel group, the Kimsuky group, and the Lazarus group.
As part of the initial access, it has also been known to launch supply chain, spear phishing, or watering hole attacks.
The malware is spread by taking advantage of installed software or flaws in the attack process.