Analysis of Andariel's New Attack Activities
2023-08-31 • Ahnlab •
AhnLab describes recent attacks assessed as linked to Andariel, a Lazarus-affiliated group that has targeted Korean corporations, universities, logistics, ICT, defense, political, shipbuilding, energy, and communications organizations. The 2023 activity includes abuse of vulnerable Innorix Agent file-transfer clients and a trend toward Go-developed malware such as Goat RAT and DurianBeacon, with DurianBeacon also appearing in a Rust version. Earlier Innorix-related cases infected multiple Korean universities with backdoors including a NukeSped/Volgmer-like variant that used the same 0x10-byte key associated with Hidden Cobra Volgmer but applied it to C2 packet encryption. The excerpt frames these malware analyses as evidence for connecting recent attacks to Andariel despite lack of direct reuse of past C2 servers or exact malware strains.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 426bb55531e8e3055c942a1a035e46b9 | 2023-08-22 | 2024-07-25 |
| HASH | 6ab4eb4c23c9e419fbba85884ea141f4 | 2023-08-22 | 2024-07-25 |
| HASH | deae4be61c90ad6d499f5bdac5dad242 | 2023-08-22 | 2024-07-25 |
| HASH | 79e474e056b4798e0a3e7c60dd67fd28 | 2023-08-22 | 2024-07-25 |
| HASH | bbaee4fe73ccff1097d635422fdc0483 | 2023-08-22 | 2024-07-25 |
| HASH | 5291aed100cc48415636c4875592f70c | 2023-08-22 | 2024-07-25 |
| HASH | 95c276215dcc1bd7606c0cb2be06bf70 | 2023-08-22 | 2024-07-25 |
| HASH | eb35b75369805e7a6371577b1d2c4531 | 2023-08-22 | 2024-07-25 |
| HASH | f4795f7aec4389c8323f7f40b50ae46f | 2023-08-22 | 2024-07-25 |
| HASH | cfae52529468034dbbb40c9a985fa504 | 2023-08-22 | 2024-07-25 |
| HASH | bda0686d02a8b7685adf937cbcd35f46 | 2023-08-22 | 2024-07-25 |
| HASH | 5a3f3f75048b9cec177838fb8b40b945 | 2023-08-22 | 2024-07-25 |
| HASH | 6de6c27ca8f4e00f0b3e8ff5185a59d1 | 2023-08-22 | 2024-07-25 |
| HASH | c61a8c4f6f6870c7ca0013e084b893d2 | 2023-08-22 | 2024-07-25 |
| HASH | 9d7bd0caed10cc002670faff7ca130f5 | 2023-08-22 | 2024-07-25 |
| HASH | 8434cdd34425916be234b19f933ad7ea | 2023-08-22 | 2024-07-25 |
| DOMAIN | privatemake.bounceme.net | 2023-08-22 | 2024-07-25 |
| HASH | c892c60817e6399f939987bd2bf5dee0 | 2023-02-15 | 2024-07-25 |
| HASH | 1ffccc23fef2964e9b1747098c19d956 | 2023-02-15 | 2024-07-25 |
| HASH | 0211a3160cc5871cbcd4e5514449162b | 2023-02-15 | 2024-07-25 |
| HASH | ac0ada011f1544aa3a1cf27a26f2e288 | 2023-02-15 | 2024-07-25 |
| HASH | 88a7c84ac7f7ed310b5ee791ec8bd6c5 | 2023-02-15 | 2024-07-25 |
| HASH | 9112efb49cae021abebd3e9a564e6ca4 | 2023-02-15 | 2024-07-25 |
| HASH | bcac28919fa33704a01d7a9e5e3ddf3f | 2023-02-15 | 2024-07-25 |
| HASH | 0a09b7f2317b3d5f057180be6b6d0755 | 2023-02-15 | 2024-07-25 |
| HASH | e5410abaaac69c88db84ab3d0e9485ac | 2023-02-15 | 2024-07-25 |
| IPv4 | 4.246.149.227 | 2023-08-22 | 2024-05-30 |
| HASH | 01ccce480c60fcdb67b54f4509ffdb56 | 2023-08-22 | 2023-11-20 |
| HASH | dd7b696b96434d2bf07b34f9c125d51d | 2023-08-22 | 2023-11-20 |
| URL | http://www.ipservice.kro.kr/cre… | 2023-08-22 | 2023-08-31 |
| URL | http://www.ipservice.kro.kr/dat… | 2023-08-22 | 2023-08-31 |
| DOMAIN | bbs.topigsnorsvin.com | 2023-08-22 | 2023-08-31 |
| DOMAIN | chinesekungfu.org | 2023-08-22 | 2023-08-31 |
| IPv4 | 27.102.107.230 | 2023-08-22 | 2023-08-31 |
| IPv4 | 8.213.128.76 | 2023-08-22 | 2023-08-31 |
| IPv4 | 13.76.133.68 | 2023-08-22 | 2023-08-31 |
| IPv4 | 27.102.107.233 | 2023-08-22 | 2023-08-31 |
| IPv4 | 217.195.153.233 | 2023-08-22 | 2023-08-31 |
| IPv4 | 27.102.129.196 | 2023-08-22 | 2023-08-31 |
| IPv4 | 27.102.107.235 | 2023-08-22 | 2023-08-31 |
| IPv4 | 46.183.223.21 | 2023-08-22 | 2023-08-31 |
| IPv4 | 109.248.150.179 | 2023-02-15 | 2023-08-31 |
| IPv4 | 27.102.113.88 | 2023-02-15 | 2023-08-31 |
| IPv4 | 139.177.190.243 | 2023-02-15 | 2023-08-31 |
| IPv4 | 4.246.144.112 | 2023-02-15 | 2023-08-31 |
| IPv4 | 27.102.107.224 | 2023-02-15 | 2023-08-31 |
| IPv4 | 27.102.107.234 | 2023-02-15 | 2023-08-31 |