Andariel evolves to target South Korea with ransomware

2021-06-15 • Kaspersky •

https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/

#Andariel #Ransomware #Manuscrypt #T1041 #T1113 #T1071.001 #T1059.007 #T1204.002 #T1057 #T1583.003 #T1566.001 #T1036.005 #T1497.001 #T1486 #T1573.001 #T1049 #T1095 #T1027.003 #T1584.006

Thumbnail for Andariel evolves to target South Korea with ransomware

Kaspersky attributed a 2021 South Korea-focused campaign to Andariel, a Lazarus sub-group, based on code overlap with earlier Andariel malware and distinctive post-exploitation command usage. The activity used weaponized Korean Word documents and PDF-like delivery paths that launched HTA payloads with mshta.exe, including URLs on compromised sites such as allamwith.com, jinjinpig.co.kr, ypelec.co.kr, and conkorea.com. The second-stage “Simple agent” decrypted and ran an embedded payload in memory before selected victims received a final backdoor, and one victim was also infected with custom ransomware. The ransomware component and prior ATM compromise show Andariel combining espionage tradecraft with financially motivated operations.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	f4d46629ca15313b94992f3798718df7	2021-05-10	2024-07-25
URL	http://mail.sisnet.co.kr/jsp/us…	2021-06-15	2021-12-22
URL	http://www.allamwith.com/home/m…	2021-06-15	2021-12-22
URL	http://www.conkorea.com/cshop/b…	2021-06-15	2021-12-22
DOMAIN	mail.sisnet.co.kr	2021-06-15	2021-12-22
IPv4	45.58.112.77	2021-06-15	2021-12-22
IPv4	185.208.158.208	2021-06-15	2021-12-22
IPv4	23.229.111.197	2021-06-15	2021-12-22
DOMAIN	ddjm.co.kr	2021-05-10	2021-12-22
URL	http://snum.or.kr/skin_img/skin…	2021-05-10	2021-12-22
URL	http://www.ddjm.co.kr/bbs/icon/…	2021-05-10	2021-12-22
DOMAIN	snum.or.kr	2021-05-10	2021-12-22
URL	http://www.jinjinpig.co.kr/Anyb…	2021-04-19	2021-12-22
URL	http://mail.namusoft.kr/jsp/use…	2021-04-19	2021-12-22
DOMAIN	mail.namusoft.kr	2021-04-19	2021-12-22
HASH	38917e8aa02b58b09401383115ab549e	2021-06-15	2021-06-15
HASH	927f0a1090255bc724953e1f5a09a070	2021-06-15	2021-06-15
HASH	33c2e887c3d337eeffbbd8745bfdfc8f	2021-06-15	2021-06-15
HASH	8b378eabcec13c3c925cc7ca4d191f5f	2021-06-15	2021-06-15
HASH	df1e7a42c92ecb01290d896dca4e5faa	2021-06-15	2021-06-15
HASH	fc3c31bbdbeee99aba5f7a735fac7a7e	2021-06-15	2021-06-15
HASH	67220baf2a415876bee2d43c11f6e9ad	2021-06-15	2021-06-15
HASH	eef723ff0b5c0b10d391955250f781b3	2021-06-15	2021-06-15
HASH	3bf9b83e00544ac383aaef795e3ded78	2021-06-15	2021-06-15
HASH	3ba4c71c6b087e6d06d668bb22a5b59a	2021-06-15	2021-06-15
HASH	5b387a9130e9b9782ca4c225c8e641b3	2021-06-15	2021-06-15
HASH	21ec5f03aab696f0a239c6ea5e50c014	2021-06-15	2021-06-15
HASH	25c8e057864126e6648c34581e7b4f20	2021-06-15	2021-06-15
HASH	b5648f5e115da778615dfd0dc772b647	2021-06-15	2021-06-15
HASH	551c5b3595e9fc1081b5e1f10e3c1a59	2021-06-15	2021-06-15
HASH	bf4a822f04193b953689e277a9e1f4f1	2021-06-15	2021-06-15
HASH	d1a99087fa3793fbc4d0adb26e87efce	2021-06-15	2021-06-15
HASH	d63bb2c5cd4cfbe8fabf1640b569db6a	2021-06-15	2021-06-15
HASH	6e710f6f02fdde1e4adf06935a296fd8	2021-06-15	2021-06-15
HASH	abaeecd83a585ec0c5f1153199938e83	2021-06-15	2021-06-15
HASH	145735911e9c8bafa4c9c1d7397199fc	2021-06-15	2021-06-15
HASH	3b1b8702c4d3e2e194c4cc8f09a57d06	2021-06-15	2021-06-15
HASH	62eae43a36cbc4ed935d8df007f5650b	2021-06-15	2021-06-15
HASH	569246a3325effa11cb8ff362428ab2c	2021-06-15	2021-06-15
HASH	f3fcb306cb93489f999e00a7ef63536b	2021-06-15	2021-06-15
HASH	3b494133f1a673b2b04df4f4f996a25d	2021-06-15	2021-06-15
HASH	d96fcd2159643684f4573238f530d03b	2021-06-15	2021-06-15
HASH	8d74112c97e98fef4c5d77200f34e4f2	2021-06-15	2021-06-15
HASH	159ad2afcab80e83397388e495d215a5	2021-06-15	2021-06-15
HASH	ef3a6978c7d454f9f6316f2d267f108d	2021-06-15	2021-06-15
HASH	b5874eb1119327be51ae03adcbf4d3e0	2021-06-15	2021-06-15
HASH	fffad123bd6df76f94ffc9b384a067fc	2021-06-15	2021-06-15
HASH	3703c22e33629abd440483e0f60abf79	2021-06-15	2021-06-15
EMAIL	[email protected]	2021-06-15	2021-06-15
URL	http://www.allamwith.com/home/c…	2021-06-15	2021-06-15
URL	http://www.jinjinpig.co.kr/AnyC…	2021-06-15	2021-06-15
URL	http://ddjm.co.kr/bbs/icon/skin…	2021-06-15	2021-06-15
URL	http://www.conkorea.com/cshop/s…	2021-06-15	2021-06-15
URL	http://adame.ypelec.co.kr/custo…	2021-06-15	2021-06-15
URL	http://hivekorea.com/jdboard/me…	2021-06-15	2021-06-15
DOMAIN	hivekorea.com	2021-06-15	2021-06-15
DOMAIN	adame.ypelec.co.kr	2021-06-15	2021-06-15
IPv4	198.55.119.112	2021-06-15	2021-06-15
HASH	ed9aa858ba2c4671ca373496a4dd05d4	2021-05-10	2021-06-15
HASH	71759cca8c700646b4976b19b9abd6fe	2021-05-10	2021-06-15
HASH	118cfa75e386ed45bec297f8865de671	2021-05-10	2021-06-15
HASH	0812ce08a75e5fc774a114436e88cd06	2021-05-10	2021-06-15
HASH	d5e974a3386fc99d2932756ca165a451	2021-05-10	2021-06-15
HASH	53648bf8f0121130edb42c626d7c2fc4	2021-05-10	2021-06-15
HASH	1bb267c96ec2925f6ae3716d831671cf	2021-05-10	2021-06-15
HASH	4d30612a928faf7643b14bd85d8433cc	2021-05-10	2021-06-15
HASH	0ecfa51cd4bf1a9841a07bdb5bfcd0ab	2021-05-10	2021-06-15
HASH	9758efcf96343d0ef83854860195c4b4	2019-07-30	2021-06-15

Related Actors

Andariel

FSI

First seen: Jul 2017

Last seen: May 2026

Related Reports

2021-12-22 • 62% Match

Establishing the TigerRAT and TigerDownloader malware families

Threatray

#Andariel #TigerRAT #T1041 #T1113 #T1071.001 #T1056.001 #T1059.007 #T1204.002 #T1057 #T1583.003 #T1566.001 #T1036.005 #T1497.001 #T1486 #T1573.001 #T1189 #T1049 #T1095 #T1027.003 #T1584.006

Shares tags: Andariel, T1041, T1113 • Shares 13 IOCs

2024-07-19 • 41% Match

APT Quarterly Highlights : Q2 2024

Cyfirma

#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584

Shares tags: Andariel, T1041, T1113

2021-10-26 • 37% Match

APT trends report Q3 2021

Kaspersky

#Trend #Andariel #Kimsuky

Shares tag: Andariel • Same author: Kaspersky

2022-12-22 • 34% Match

Emulating the Politically Motivated North Korean Adversary Andariel

Attack IQ

#Andariel #T1082 #T1041 #T1071.001 #T1083 #T1057 #T1547.001 #T1053.005 #T1036.005 #T1105 #T1486 #T1049 #T1016 #T1074.001 #T1218.011 #T1218.010 #T1217 #T1033 #T1012 #T1120 #T1016.001 #T1197

Shares tags: Andariel, T1041, T1071.001

2024-10-03 • 32% Match