Emulating the Politically Motivated North Korean Adversary Andariel – Part 2

2024-07-31 Attack IQ

https://www.attackiq.com/2024/07/31/emulating-andariel/

Thumbnail for Emulating the Politically Motivated North Korean Adversary Andariel – Part 2

On December 11, 2023, Cisco Talos reported the discovery of an activity led by Andariel, a North Korean state-sponsored known to be a subgroup of the notorious Lazarus group, which employed three new DLang-based malware families. This activity consists of continued opportunistic targeting of enterprises that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation. The adversary, a subgroup of the notorious Lazarus group, is suspected to be operating in support of the DPRK’s RGB 3rd Bureau. Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a previously unknown DLang-based Remote Access Trojan (RAT) named NineRAT, which employs Telegram as its C2 channel.

Related Actors

First seen: Jul 2017
Last seen: May 2026

Related Reports

2024-07-19 • 61% Match
#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584
Shares tags: Andariel, T1082, T1083 • Published within a month
« Back